►
From YouTube: Scorecards Biweekly Sync (June 29, 2023)
B
A
Hi
there
Christine
I,
think
I
can
hear
I
I
hear
somebody
I
think
it's
you.
A
C
A
A
Yeah,
a
lot
of
this
are
slowly
trying
to
move
over
to
table
this.
This
table
format,
because
then
people
don't
have
to
endlessly
type
in
their
names
but
and
it
converts
trivially
to
markdown,
which.
D
D
A
I
think
oh
wait.
Do
I
not
have
your
email.
A
A
Okay,
it
the
the
the
notes,
are
currently
incorrect
people
in,
but
we
can
fix
that.
Can
somebody
paste
in
the
Google
group
name
the.
G
I
need
to
get
the
full
URL,
but
I've
I've
got
that
a
group
email.
That's
listed,
it's
the
OSS
scorecard
Dash
Dev
group.
A
I
I
got
it
it's
something:
that's
already
posted
that
in
chat.
So
what
I'm
going
to
do
is
I'm
going
to
add
them,
but
not
notify,
because,
yes,
because
we
don't
need
that
in
our
inboxes,
all
right
I
think
I
fixed
this.
However,
if
your
accesses
change,
you
need
to
click
on
reload
on
your
browser
to
get
the
new
permissions.
A
A
A
A
A
All
right
and
I
will
you
know
what
sometimes
instructions
don't
work,
but
please
just
let
us
know
and
we
will
try
to
make
up
the
directions.
Work.
D
Facilitated
I
I.
A
Think
yeah
I
didn't
say:
I
was
facilitator,
I'm
happy
to
fulfill
the
role,
although
hopefully
we
won't
need
much
facilitation,
but
if
we
need
to
label
somebody,
I
mean
I'm
happy
to
to
do
the
task
on
the
wrong
and
Victor
I
think
we're
all
okay.
A
I'll
say
if
I
am
facilitator,
usually
the
first
thing
that
I
try
to
do
is
What
What
Croke
likes
to
call
welcome
new
friends.
A
Well,
we'll
just
call
it
a
ritual
name:
you're
welcome,
anyway,
we're
glad
to
have
you.
What
was
that
Dan
was
that
you,
oh.
E
Yes,
I'm
not
sure
I,
don't
think
I've
been
on
this
call
before
and
that's
part
of
what
I
want
to
talk
about.
Actually
so
but
yeah
I'm
down,
because
from
sneak.
I
G
I
Been
in
the
past,
I
would
say
two
weeks
there
was
a
conflict
with
travel,
but
but
I've
been
here
and
introduced
myself
before.
A
Excellent
excellent,
very
good,
all
righty
and
let's
see
here
all
right-
and
so
you
I
mean
if
I'm
gonna
play
the
facilitator
role.
I
guess:
I'm
gonna
walk
through
the
agenda,
which
is
I,
guess
announcements.
Do
we
have
any
any
introductions
or
in
particular
product
project
updates
things
that
have
you
know
not
non-trivial
stuff?
That's
changed
regarding
scorecard.
A
Okay,
all
right
next
item
is
Dan's
request,
which
is
possible
to
alternate
call
times
to
accommodate
European
time
zones.
Oh,
my
goodness,
I'm.
E
Yeah
so
I
hate
to
be,
as
I
said,
on
on
the
slack
I
hate
to
be
that
guy,
the
and
and
call
times
are
hard.
I
recognize
that
I
haven't
been
very
active
in
this
group,
so
it
but
I'm
hoping
that
my
eye
and
my
employer
will
be
more
active
in
this
community.
We're
heavily
centered
engineering
wise
in
in
Europe.
E
Not
just
me,
I
happen
to
be
based
in
London,
but
so
you
know,
and
actually
what
this
came
out
of
was
I
had
a
chat
with
Laurent
on
DM
about
the
second
item
that
I
that
I
asked
to
put
in
the
agenda
today
and
he
suggested
I
raise
it
on
a
call
and
I
said
well.
E
I
hardly
ever
attend
the
calls,
because
they're
at
9pm
for
me,
which
is
not
usually
a
time
I'm,
I'm
working
so
or
I,
try
to
not
to
generally
not
be
working
at
9,
00
PM.
E
You
know
for
regular
regularly
scheduled
things
anyway
and
the
so
yeah
I'd
like
to
gently
suggest-
and
we
don't
have
to
you-
know
organize
it
here.
Maybe
maybe
we
could
take
it
to
a
doodle
poll
or
something
like
that,
but
I
I,
yeah,
I
I
think
it
would
be
generally
good,
not
just
for
me,
but
all
you
know
possibly
enable
or
why
be
more
inclusive
in
general
to
have
a
alternating
call
time.
K
So
my
my
teams-
I,
you
know
I'm
kind
of
going
through
this
exercise
with
a
bunch
of
different
teams
and
I
I
I,
occasionally
mentioned
to
the
maintainers.
This
is
like
Thursday
is
one
of
my
most
contested
days.
I
I
have
to
miss
this
meeting
so
frequently
and
I
don't
want
to
because
I'm
like
triple
ebooked
back
in
kubernetes
when
I
started
and
working
on
on
Sig
release.
K
We
had
a
question
about
why
the
release
team
meetings
were
always
in
in
the
U.S
specific
favorable
times
and
the,
and
there
was
no
specific
reason
for
it.
We
just
continued
to
do
it
until
we
realized
that
it
was
because
so
many
of
the
people
at
the
time
were
googlers
who
were
working
on
the
on
the
infrastructure.
So
it
was
just
a.
It
was
just
a
natural
artifact
of
that.
K
A
Yeah
I
mean,
as
far
as
I
think,
where
it
really
comes
down
to
is
scheduling's
hard.
So
once
a
meeting
gets
scheduled
unless
somebody
asks
nobody
wants
to
rock
the
boat,
but
I
think
this
is
a
good
time
to
rock
Boat
Rock
I
I
will
observe
that
many
many
of
these
open
ssf,
many
of
the
other
open
ssf
meetings
are
have
already
switched
to
like
alternating
times
to
try
to
make
it.
You
know
at
least
distribute
the
pain
a
little
more
evenly.
A
K
I'll
I'll
I'll
I'll
I'll
jump
inside
it
I,
don't
know
who
it's
talking
just
now,
but
there
is
a
I
think,
there's
like
a
time
and
date,
something
meeting
finder
thing,
I
think
to
start.
We
should
take
all
of
the
time
zones
of
the
the
hardest.
H
A
Right
times
with
maintainers
all
right,
so
let's
talk
about
how
we're
going
to
do
this.
You
know.
We've
certainly
done
a
lot
of
doodle
polls
to
work
out
better
times.
I
do
agree
that
would
make
it
would
be
simpler
if
we
could
Identify
some
ranges
to
start
with
that,
where
we
might
vote
on
and
then
work
on
the
details.
So
those
aren't
thinking
it
was.
You
know,
subtract
if
I
subtracted
six
to
eight
hours,
ish
and
and
set
up
a
double
doodle
poll
with
a
bunch
of
options.
K
I
would
say,
use
the
the
link
I
I,
sent
the
world
clock,
meeting,
planner
and
start,
and
so
so
I'm
I'm
New,
York
we've
got.
We've
got
folks
in
the
west
coast.
We've
got
folks,
it
sounds
like
we've
got
folks
in
the
we've
got
folks,
potentially
an
APAC,
our
folks
that
maybe
are
an
impact
that
can't
join,
because
it's
it's
that
it's
that
bad
of
a
time
so
I
would
I
would
start
with
you
know.
Maybe
we
do.
Maybe
we
do
USC.
K
We
do
West
Coast,
we
do
of
London
Berlin
something
and
we
do
China
right
and
see
what
what
pops
out.
H
K
Right
yeah,
Evan
doodle
will
adjust
to
people's
time
zone
as
long
as.
A
They
absolutely
yeah,
that's
right,
that's
right!
So
I!
You
know
we
don't
have
to.
In
fact,
I.
Don't
think
that
we
can
pick
a
particular
time
right
now.
I
I
think
you
know
there
are
people
aren't
here,
I'm,
just
looking
for
a
range
and
then
we
can
set
up
a
doodle
poll
with
like
a
whole
bunch
of
options,
but
I,
don't
I
don't
want
to
set
up.
You
know
24
times
seven
blocks
or
24
times
five
blocks
of
possibilities.
A
C
J
A
Go
London
I
if,
if
East,
oh
East,
London
is
South
Africa,
never
mind.
J
H
A
Let's
see
here
we
can,
we
can
do
Pacific,
San
Francisco.
You
mentioned
sure
why
not
San,
Francisco
I
would
add
Beijing.
F
A
A
Okay,
what
do
I
search
for
Jerusalem?
What's
the.
I
A
A
Exactly
exactly
that
suits
me
fine,
all
right!
So
is
this
at
least
going
to
give
us
an
idea
of
pain,
all
right.
A
All
right,
okay,
this.
E
Having
an
alternating
thing
makes
sense,
but
I
I
would
say:
David
I
think
that
the
so-called
golden
hours,
when
it
comes
to
like
U.S
east
Coast,
slash
Europe,
tend
to
be
between
two
and
six.
My
time,
because
that's
where
everything
is
on
my
calendar
when.
A
E
E
The
only
time
that,
like
yeah,
that's
why,
in
one
of
the
other
groups
that
I'm
in
in
w3c,
we
alternate
our
plenary,
call
between
5
PM,
London
time
and
7
A.M
London
time
both
of
them
are
doable
for
me,
but
one
of
them
Works
doesn't
work
very
well.
The
5
PM
really
doesn't
work
well
for
Asia.
The
7
A.M
kind
of
is
painful
for
the
for
people
on
the
west
coast,
but
they
can
do
it.
So
it's
like
11
p.m.
E
There
West
Coast
time
so
that
that's
one
option
that
could
that
could
work,
but
you
know.
I
So
so
I
I
worked
with
teams
in
Asia,
Pacific
and
and
Europe
typically
I
think
early
morning,
Pacific
so
like
about
6
a.m.
I
I
think
someone
suggested
that
in
chat,
even
though
that's
not
business
hours
in
Asia
Pacific,
yes,
exam
Pacific,
even
though
that's
not
business
hours
in
Asia
Pacific,
you
people
in
Asia
are
used
to
having
meetings
at
those
times,
so,
whether
that's
India
or
China-
that's
typical
of
them
to
have
business
meetings
at
those
times
because
they're
frequently
working
with
teams
in
the
US,
so
it
wouldn't
be
unusual.
I
mean
to
for
them
to
attend
something.
C
I
K
K
I
know
that
if
someone
made
that
assumption
for
me,
I
would
just
not
attend
that
meeting
so
so
the
I
think
we
can
start
with.
If
we're
saying
that
this
time
is
good
for
us,
then
maybe
it's
fine
right,
but
it
looks
like
it's
right
so,
but
The
Sweet,
Spot,
somewhere
between
12
and
7,
is,
is
looking
to
be
where
we
have
at
least
one
meeting
that
connects
U.S
east,
maybe
some
of
U.S
Pacific
and
emea
right.
Then
there
is
a
second
meeting
that.
I
A
A
Here:
okay,
so
so
I
guess,
what's
the
final
proposal
given
given
this
look,
what
what
date,
what
I,
I'm
imagining
at
least
Thursdays,
maybe
Monday
through
Thursdays
and
which
times
should
I
put
up
a
poll
for
so.
K
We
should
look
for
so
so
for
the
I'm.
Sorry
I
have
a
meeting
chat
in
the
way.
Sorry
so
so
for
Washington
London,
San
Francisco.
We
should
look
for
things
that
hit
in
that
yellow
and
and
green
area
right
for
everyone,
you
know
and
and
and
Tel
Aviv.
If
we
can,
if
we
can
pull
them
into
right
for
everyone
else,
like
one,
we
don't
make
the
decision
now
well
for
everyone
else.
K
We
we
try
to
find
a
window
that
excludes
say
you
know,
say:
London,
for
example,
right
to
get
closer
to
the
green
and
yellow
for
Beijing
right
mm-hmm.
A
K
Know
for
this
for
this
first
one
if
we
can
Target
something
like
the
London
Washington
DC
Tel
Aviv.
If
we
can
swing,
if
we
can
sing
San
Francisco,
then
fine,
but
those
are
all
closer
time
zone
wise
right.
E
E
H
E
Don't
think
it's
24
hours,
it's
it's
the
it's!
The
ranges
that
work
for
those
two,
those
two
categories
that
Stephen
just
talked
about
or
I,
think
the
Pacific
U.S
audience
and
the
Europe
Us
East
audience.
F
K
San
Francisco
is
we're
like
we're,
maybe
less
concerned
with
them
right.
What
we're
trying
to
pull
in
is
more
of
the
MBA
side
right
so
like
the
first
one
would
be
like
U.S,
east
London,
Tel,
Aviv
right
and
you
get
a
time.
That's
that's
closer
to
their
green
and
yellow
windows,
and
then
you
focus
on
San,
Francisco
and
APAC
right
to
get
a
time.
That's
green
and
yellow
for
them
right,
and
we
have
maintainers
that
are
both
U.S
east
and
US
West.
So
we'll
have
coverage
in
both
of
those
meetings.
G
Going
just
to
just
to
complicate
things
further
is:
if
we,
if
we
don't
have
enough,
we
do
have
a
number
of
folks,
or
at
least
about
two
or
three
in
Sydney.
Now
that
want
to
start
working
more
on
the
project,
so
they're
I
was
looking
I
thought
they
would
be
close
enough
to
Beijing,
but
they're.
Also
right,
oh
really
well,
they're
about
they're
about
two
hours
offset
similar
to
Tel
Aviv
in
London.
G
They
are
it's
just
that
okay
A
lot
of
times
they
will
meet
early
in
the
morning
rather
than
late
at
night.
Okay
is
kind
of
where
it
I.
K
Yeah
they
should
be
part
of
the
the
SF,
the
the
SF
and
and
and
in
Asia
Pacific
Bowl
right
and
the
the
further
complication
and
we'll
we'll
see
when,
like
time
zones
shift,
the
they're
they're
their
daylight
savings
is
in
the
opposite
direction.
Right.
H
A
A
All
right
so
two
two
doodle
polls,
one
to
try
to
get
the
Pacific
and
U.S
West
and
the
others
to
get
Europe,
U.S
east
and
we'll
basically
split
it
off.
Okay,
that
that
now
I
understand
what
you
were
trying
to
accomplish
there.
Okay,
thank
you.
I.
J
E
Right
David
I
can
I
can
be
very
quick
about
the
the
two
other
agenda
points
that
I
put
in.
If
you
want
me
to
sure,
okay,
so
one
one
of
the
one
thing
that
this
was
something
that
my
devrel
somebody
in
my
devrel
team
got
in
touch
with
me
about.
E
You
know
they
saw
us
a
trace
from
somebody
who
was
using
scorecard
in
their
Pipeline
and
the
output
sent
somebody
off
to
a
URL
which
was
on
step
security.io,
which
is
like
a
commercial
product,
and
so
he
raised
an
alarm
with
me
and
he
said:
hey
wait.
Aren't
we
a
member
of
open
ssf?
Why
is
this
open,
ssf
thing
sending
something
somebody
to
a
competitor
I,
don't
know
that
step.
E
Security.Io
is
a
competitor
or
whatever,
but
it
kind
of
like
I
I
just
wanted
to
raise
it,
because
it
reminded
me
of
the
fact
that,
where,
in
the
SCM
best
practices
work,
that's
happening
in
the
best
practices
working
group,
we
Christine
and
I
are
working
with
legitify
I've
known
from
legitify,
who
actually
came
up
with
a
whole
bunch
of
remediation
steps
and
further
information
about
SCM
configuration
options
which
were
contributed
into
the
S.
The
open,
ssf
best
practices
working
group.
E
So
those
actually
are
sitting
in
that
that
in
that
GitHub
repo
right
now
and
we're
working
with
that
data
and
they're
and
they're,
you
know
so
so
they
so
one
suggestion
could
be.
Could
if
this
remediation
material
is
is
is
could
it
be
donated
to
open
ssf?
Is
there
some?
You
know
so
I
I
I'm
happy
to
help,
try
and
figure
out
what
the
answer
is,
but
I
think
it
would
be
better
from
a
vendor
neutrality
standpoint
for
scorecard
to
not
be
sending
people
off
to
third-party
commercial
sites.
I.
K
K
You
know
at
least
to
start
reference
the
secure
repo
GitHub
project,
which
is
open
source
on
their
side
as
opposed
to
subsecurity.io,
which
is
a
company
right,
and
then
we
kind
of
fix
the
pieces
as
we
go,
but.
A
We
not
only
can
we
not
prevent,
but
we
want.
You
know
products
to
use
it,
but
it
should
be
they're
using
something
we
develop,
not
we're
pointing
them
to
it.
Unless
we,
unless
we
agree
and
then
it
needs
to
be
scoped
and
so
on.
Do
you
know
where
that's
happening
because
I
don't
remember
where.
K
It's
it's
within
our
checks.
It's
within
the
scorecard
checks,
the
remediation
documentation
yeah
so
like
pinning
the
so
pinning
the
say
like
pinning
the
hashes
or
something
right
will
tell
you
like
hey
by
the
way.
If
you
want
something
that
will
generate,
you
know,
say
a
GitHub
actions
workflow
manifest
that
gives
you
pin
actions.
You
can
go
to
step
security,
so
usually
it
used
to
be
like
go
to
to
subsecurity.io
secure
repo
would
like
you
could
you
could
go
to
the
UI?
K
Stick
your
repo
and
or
copy
and
paste
your
workflow,
and
then
it
would
spit
out
it's
a
hard-end
workflow
for
you
right
and
now
I
think,
there's
some
some
other
redirects
in
place
that
that
take
you
to
that.
Take
you
to
the
main
company
site
so
but
yeah
there's
there's
something
to
fix
there.
Gotcha.
A
Okay,
I
mean
we're
not
forbidden
from
referring
to
proprietary
sites,
but
it
needs
to
be
decided
upon
and
agreed
on
and
all
that
good
stuff
and
yeah.
E
Your
point
about,
like
us,
our
companies
using
scorecard
we're
we're
incorporating
scorecard
and
scorecard
data
into
some
products
that
sneakers
so
like
yeah,.
A
Yeah,
but
it's
the
yeah
it's
the
linking
over.
That
definitely
is.
E
K
A
So
so
I
don't
want
to
just
leave
this
as
some
some
discussion,
although
I
think
we're
all
in
agreement.
What
can
we
do
to
turn
that
this
discussion
into
some
actions?
Can
somebody
kind
of
do
the
walk
through
or
at
the
very
least
Dan?
If
you.
A
Links
are,
can
you
point
us
and
we'll
you
know,
let's
you
know
nothing
else.
Let's
make
an
issue
Point
some
of
the
problems.
So
at
least
we
know
what
the
problems
are
and
then
start
working
out.
Let's
create
an
issue
to
ID
and
resolve
these
Dan.
Would
you
mind
creating
the
issue.
E
E
A
No,
no,
no,
it's
a
necessary
kerfuffle
and
that's
completely
different.
You
you,
but,
but
you
know
what
you
know
create
the
issue.
If
you
know
the
specific
locations
you'll,
let
us
know-
or
at
least
the
pattern
to
look
for
that.
Would
that
would
be
helpful.
I
mean.
Obviously
we
can
do
that,
but
the
the
the
more
information
you
give
us,
the
more
likely
we're
going
to
do
a
good
job
if
there
was
of
the
result,
if
that.
K
Makes
sense
the
machine
just
dropped
a
bunch
of
details
and
they
just
dropped
a
search.
A
For
excellent
excellent
yeah,
even
just
here's,
the
pattern
regret
for
yeah.
What's
the
issue
number
I
I
can't
do
I
can't
see
12
things
at
once.
So
let's
see.
K
Oh
Dan
has
to
open
the
issue.
I,
don't
think
the
issue.
A
Okay,
I:
will
you
know
what
I
all
right
open?
If
you
wouldn't
mind,
create
the
issue
and
when
you
know
the
issue
number
stick
the
link
into
these
notes
and
that
way
everybody
knows
to
go
right
there,
and
this
is
not
a
you
know,
not
necessarily
done,
but
at
least
we've
started
awesome
excellent.
Thank
you
so
much
Dan.
This
is
the
kind
of
curve
fluffling
we
want.
E
Okay
and
while
I'm
well
I've
got
the
my
the
other
thing
that
I,
the
only
other
thing
I
put
on
the
agenda
was
I
just
wanted
to
put
this
this
AP
this
issue
or
pr3107,
which
is
one
that
I
made,
which
adds
the
data
license
David.
You
already
commented
on
that
and
said:
I've
gone
to
LF
legal
I
just
wanted
to
pop
my
head
up
and
say
yes,
I
I.
This
is
not
something
that
just
like
came
out
of
my
mind.
E
This
is
something
like
again
I'm
getting
questions
from
my
company
about
this,
and
this
is
why
I
you
know
were
so
it's
it's
it's
to
do
it's
something
important
for
us,
so
I'd
like
to
make
sure
that
it
it's
that
that
it's
clear
anyway,
what
what
the
what
the
license,
what
the
data
license
is,
is
associated
with
the
data
that
the
API
produces
not
to
do
with
the
open
source
license
of
what
you
know.
It's
a
it's!
E
A
separate
licensing
issue,
basically,
is
my
point
and
I'm
happy
to
talk
I'm
me
to
clarify
that
with
anybody
it
at
length
out
of
band,
but
so,
if
anybody
has
questions
about
that
or
it
needs
clarification
about
what
I'm
talking
about,
then
please
feel
free
to
ping
me:
okay,
okay,.
A
I
I
did
send
a
a
legal
juror
request.
Oddly
enough
I
don't
looks
like
if
I
got
a
response.
I
hadn't
noticed
it.
So
let
me-
and
usually
they
do
it
every
Friday,
so
I
don't
know
why
I
haven't
gotten
a
response.
A
D
D
Think
right
now
the
text
says
you
know
this
is
the
issue
please
go
to,
like
you
know,
update
It
Go
by
going
to
this
link,
so
we
could
definitely
change
it
or
we
can
make
this
even
like
more
more
modular,
like
those
things
would
be
in
our
control
to
do.
If
there
was
an
issue
and
I
wonder
if
maybe
the
or.
K
I
mean
so
yeah.
The
way
to
do
it
in
my
head
would
be
to
say:
okay,
we
know
what
the
link
is
right
and
we
know
that
it's
it's
step.
Security,
slash,
secure,
repo
I
think
is
the
is
the
repo
right.
Is
there
a
library
that
we
can
use
that
can
easily
derive
the
shot
like
one
of
the
things
that
it's
doing
for
remediation?
It's
like
it's
like
open
the
shots
right.
If
we
can
derive
the
Shaws
that
should
be
in
in
the
repo,
then
we
can
present
a
hey.
This
thing
should
be
pinned
here.
K
D
Yeah
like,
for
example,
like
I,
think
Rick
ratchet
may
do
something
similar
where
it
can
say
you
can
replace.
This
with,
like
you
know
like
here,
is
like
the
shot
that
you
should
pin
it
to
so
yeah
I
mean
like
the
like.
We,
we
can
change
the
messaging,
but
I
thought
what
I
understood
was
a
conversation
was
that
this
should
be
a
donation
which
we
can't,
which
isn't
like
an
issue
like
a
GitHub
issue
per
se.
More
than
like
a
conversation
that
could
be
had
or
something.
E
Yeah
I
I,
just
I,
had
mentioned
that
in
the
case
of
the
SCM
best
practices,
staff
legit,
if
I,
had
contributed
the
information
into
the
best
practices
working
group.
So
so
the
information
that
you
see
there
in
the
and
I
can
find
the
link
to
the
SCM
best
practices.
K
I
mean
yes,
I
mean
we
have
an
example
on
the
meeting
notes
right.
So
the
donation
of
the
visualizer,
for
example,
right,
is
one
thing
where
at
some
point
in
time,
a
group
of
people
decided
that,
like
hey,
this
is
functionality
that
could
live
in
Square
card
as
opposed
to
as
opposed
to
external
right
there's
another
one
scorecard
monitor
that
I
need
to
get
back
on.
But
it's
it's
really.
It's
part.
It's
part
conversation
at
some.
You
know
with
the
sem
best
practices
they
said
hey.
This
is
great.
K
Let's
move
this
closer
to
where
everybody's
going
to
be
looking
right.
So
this
is,
do
we
want
to
provide
the
functionality
of
what
should
happen
during
the
remediation?
We
definitely
don't
want
to
point
people
externally,
which
is
what
Dan
is
saying,
but
there
isn't.
There
is
a
middle
ground
where
we
can
provide
the
functionality
or
we
can
tell
people
how
to
derive
the
correct
answer
that
doesn't
involve
sending
them
to
a
corporate
site.
J
K
A
H
C
A
Right,
okay,
just
FYI
I,
know
a
little
bit
about
their
process.
The
legal
teams
review
proposals
and
changes
every
Friday,
so
hopefully
they'll
get
a
chance
to
look
at
this
tomorrow
and
you
know.
A
All
right,
I
have
sent
on
some
requests
further
Dan,
trying
to
give
them
some
more
information
to
try
to
get
some
answers
back.
Okay,.
E
Let
me
know
if
I
can
give
any
help
if
they
come
back
with
any
questions,
and
you
want
me
to
help
delve
into
the
responding
to
the
questions.
I'm
happy
to
help.
A
Okay,
thank
you.
Thank
you.
I
might
take
you
up
on
that,
but
I'm
guessing
not
I,
mean
I,
think
they're.
You
know,
but
I
I,
if
I
want
to
give
up
on
that.
I
will
definitely
let
you
know.
A
Okay,
whoops
too
many
tabs
probably
have
to
find
where
I
am.
C
A
So,
let's
see
here
in
this,
your
licensing
of
the
data,
so
I
guess
David
has
re-contacted
legal
I
left
legal
to
get
more
things.
Okay,.
K
Can
we
step
back
for
a
second?
We
didn't
discuss
the
visualizer,
yeah
I'm,
sorry,
so
I
don't
know
who
logged
this
on
the
you
know
on
the
agenda,
but
I
will
say
that
my
apologies
for
dropping
the
ball
I'm.
The
one
who
suggested
this
and
reached
out
to
the
maintainer
and
I
need
to
pick
that
ball
back
up,
I've
been
working
on
a
bunch
of
policy,
generative
AI
policy
stuff
internally,
and
that
has
taken
up
a
decent
check
with
my
time,
but
I
have
assigned
myself
to
it.
K
I
will
reach
out
to
Ulysses
and
move
the
ball
forward.
I
have
a
note
that
I
already
sent
out
to
the
talk
about
what
the
process
should
be.
I,
don't
think
that
we
have
a
process
per
se
or
the
process
that
exists
today
may
be
heavy
weight
for
what
this
is
right.
So
the
process
today
is
effectively
to
present
a
project
to
the
tech.
K
I
would
consider
scorecard
to
be
the
project
that
already
exists
and
for
something
like
scorecard
Monitor
and
action
and
and
the
action
that's
associated
with
it
to
be
derivative
of
scorecard
so
I
I
would
I.
I
can
jump
through
the
Hoops
of
doing
the
current
tax
process,
for
the
sake
of
including
this
project
as
part
of
scorecard,
but
I
believe
there
should
be
a
lighter
weight
way
of
doing
that
for
projects
that
we
determined
that
are
fit
with
our
with
a
set
of
functionality
that
we
have.
A
K
Well,
this
would
be
this
would
be
new
repo,
a
migration
of
an
existing
repo,
so
I
and
I
I
pointed
the
the
talk
conversation
I
pointed
to
suggesting
that
we
pick
up
something
lightweight
like
the
kubernetes
process
or
absorbing
donated
projects
right
so
effectively.
What
would
happen?
Is
we
work
with
the
the
maintainers
to
migrate
their
repo
into
the
open,
ssf
org?
We
get
a
team
going
right.
We
get
a
team
going,
we've
been
in
that
team
to
admin
and
maintain
our
rights.
K
A
Yeah
I
am
definitely
not
big
on
heavyweight
processes.
I
do
want
to
make
sure
people
are
informed,
though
scorecard's,
actually
within
the
best
practices
working
group,
so
I
think
we
need
to
at
least
get
you
know
hey.
This
is
the
proposal
and
the
issues
I'm
expecting
zero
problems,
I
think
technically.
Typically,
we
have
raised
it
up
to
the
attack,
but
usually
that's
been
a.
We
have
already
made
this
decision,
not
a
request
for
approval,
but
we
do
need
to
at
least
bring
it
up
to
the
working
group.
I'm
expecting
zero
issues.
A
K
J
A
J
A
Is
you
bring
it
to
the
working
group,
they
say
yay
or
nay,
they
you
know
and
then
there's
there's
an
ambiguity
about
whether
or
not
the
tax
has
to
approve
or
just
simply
be
notified
and
the
other
issue
which
people
don't
normally
see
is
the
LF
does
have
to
check
license
if
you're,
Apache,
20
or
MIT
it's
a
non-issue.
If
it's
a
common
open
source
license,
we
may
have
to
get
permission.
It's.
A
K
A
Exactly
if
they're
Apache
tour
MIT
the
copyright
issues
Journal
disappear
unless
somebody's
claiming
that
that's
that
that
did
something
illegal
which
we've
never
have
to
happen,
but
you
know,
and
the
other
is
trademark
you
know.
So
basically
we
need
to
just
ask
hey:
are
there
patents
trademarks,
any
issue
issues
and
almost
never
actually
happens,
but
we
have
to
ask
the
question.
K
A
A
You
know
we
may
have
to
ask
governing
board
approval,
which
is
usually
not
a
problem
as
long
as
it's
a
widely
known
one.
If
it's
bespoke
that's
more
of
a
problem,
you
know
it's
the.
K
A
G
Yeah
great
that
one's
mine,
this
is
an
item
that
I
wanted
to
both
just
try
to
make
the
group
more
aware
of
but
kind
of
where
some
of
the
folks
who
work
on
this
project
from
the
Google
side,
where
they're
thinking
you
know,
plans
that
they
have.
It
was
really
born
out
of
a
question
that
that
I've
gotten
when
I've
been
at
different
conferences
and
I'm
talking
about
scorecards
a
common
question.
G
Is
you
know
what
what
does
that
project
roadmap
really
start
to
look
like,
and,
while
you
know,
I
couldn't
quite
sit
down
with
everyone
in
the
group
for
a
first
pass.
What
I
did
do
is
sit
down
with
a
few
Folks
at
Google
to
talk
about.
What's
work
that
we're
really,
you
know,
planning
to
contribute
to
the
project.
What's
other
work
that
we're
aware
is
is
going
to
happen,
and
so
this
is
very
much
a
first
pass
at
that.
G
It's
something
that
you
know
we'd
like
to
build
off
of
you
know
what
I'll
I'll
share
my
screen
and
just
walk
through
quick.
What
we've
got.
G
And
I'll
start
first
with
just
a
couple
of
notes:
the
one
kind
of
frame
of
frame
of
mind
that
we've
been
taking
is
that
this
is
much
more
of
a
forecast
than
an
actual
plan.
You
know
these
aren't
hard
committed
dates.
These
are
when
we're
forecasting
certain
pieces
of
work
to
get
done.
It
would
be
nice
if
they
all
got
done
at
roughly
those
times,
but
well
we're
kind
of
feeling
it
out.
G
At
this
point,
you
know
it's
very
much,
not
exhaustive,
just
things
that
that
are
on
the
radar
right
now
things
that
you
know
we're
generally
planning
and
then
Our
rough
criteria
of
you
know.
How
is
how
is
this?
Not
just
every
idea
we
have.
You
know
it's,
it's
idea,
plus
the
ability
to
make
an
engineering
commitment
behind
it
and
so
without
further
Ado
everything
that
fit
those
criteria
we
put
just
along
a
2022
timeline
and
then
started
to
just
throw
some
different
things
into
the
2024
plus
group
as
well.
G
So
you'll
see
things
here
like
a
scorecard
for
gitlab,
which
you
know
is
is
I,
would
say:
Google
assisted,
but
not
a
Google
driven
project,
but
it's
a
known
contribution
that
you
know
Folks
at
Lockheed
have
been
working
on.
G
We've
got
things
like
structured
results,
which
is
a
project
that
we
know
that
we
need
to
vet
with
the
larger
group,
but
it's
the
idea
of
seeing
if
we
can
make
scorecard
a
little
bit
more
flexible
for
some
organizational
cases,
something
that's
related
to
that.
Maintainer
annotations,
giving
maintainers
the
ability
to
you
know
basically
establish
a
bi-directional
communication
mechanism
and
say
I
see
this
score,
but
here's
some
additional
context.
G
That
might
be
helpful
if
you,
if
you
see
a
low
score
here,
here's
some
other
things
to
evaluate,
and
then
you
know
also
something
that
would
mean
a
good
healthy
amount
of
discussion.
Is
some
ecosystems
have
more
or
less
best
practices
that
would
apply
more
to
their.
You
know:
go
ecosystem
or
python
ecosystem.
G
Having
really
having
that
discussion
in
terms
of.
Does
this
make
sense
to
to
kind
of
try
to
break
down
scorecards
a
little
bit
more
so
that
they
fit
specific
ecosystems?
Is
that
item?
And
then
you
know
I
know
we're
short
on
time,
so
I'm
not
going
to
go
through
all
of
the
2020
or
plus
items
here,
but
you
know,
there's
a
general
theme
of
trying
to
just
expand
features.
G
Integrations
make
scorecards
more
actionable,
which
is
what
we
mean
by
remediation,
make
them
more
easy
to
consume,
with
better
visualization
and
better
understanding
of
how
transitive
dependencies
are
connected.
G
So
again,
a
starting
point
from
some
of
the
work
that
the
folks
on
on
Google's,
open
source
security
team
are
looking
at
I.
Think
there's
another
whole
discussion
over.
You
know
what
would
be
effective
tooling
for
a
road
map
building
or
for
road
map
building
across
a
project
like
this,
but
for
now
feedback
would
be
greatly
appreciated
and
if
there
are
things
that
you
were
really
planning
on
making
sure
that
go
into
the
road
map
or
things
that
you're
already
planning
to
do.
Let's
definitely
talk
about
those
I
think
the
dream
would
be.
G
You
know
some
level
of
combined
roadmap,
which
is
a
feature
and
an
owner
and
a
rough
timeline
of
when
it
would
happen.
I
think
it's
helpful
not
just
for
us,
but
I,
think
it's
really
helpful
for
kind
of
potential
users
of
scorecards
and
people
who
might
become
Partners
in
the
future.
F
Well,
one
serious
thing:
the
org
level
GitHub
projects
has
been
helpful
in
terms
of
having
a
cross-organization
place
to
plan
out
work
down
to
a
moderately
fine-grained
level.
Okay,
all
the
rest
is
just.
J
K
Kubernetes
not
on
again
my
release.
Team
has
worked
on
some
automation
around
GitHub
project
boards
for
the
CI
signal
and
kind
of
release,
visibility
stuff.
It
would
be
good
to
see
what
we
could
leverage
from
that.
Definitely
because
we,
because
we
use
old
project
boards-
and
there
was
a
CI
signal
report
and
we
did
a
whole
bunch
of
stuff
and
we're
like.
Can
we
just
make
this?
Can
we
just
make
this
like
once?
K
This
is
when
GitHub
project
was
in
beta
and
now
that
it
now
that
it
is
the
thing
to
use
we
can
we
can
do
a
bit
of
tweaking
and
see
if
we
can
pull
in
any
of
that
too
I
would
say
from
the
roadmap
perspective
I.
You
know
right
at
the
end.
You
said
the
point
that
I
was
like
gonna
raise
my
hand
for
how
can
we
abstract
this
into
a
community
roadmap
as
opposed
to
Google
based
roadmap
right
and
sure
we
may
have
googlers?
K
Who
would
be
the
executors
of
of
the
of
those
those
things
that
are
of
interest
to
Google
and
partnership
with
with
other
folks
in
the
scorecard
contributor
pool?
But
but
you
know,
then,
at
least
if
we,
if
we
bless
this
as
a
this,
is
a
provisional
Community
roadmap.
We
can
present
this
to
people
who
are
on
the
mailing
list,
people
who
are
in
the
best
practices
group
and
say
what
do
you
think
is
missing
and
who's
going
to
come
in
and
and
and
and
put
hands
on
keyboards
to
get
it
done.
G
We
very
much
have
a
shared
Vision
on
wanting
the
community
roadmap.
The
reason
we
we
started
with
us
is
because
it
was
quick
just
to
sit
a
few
folks
down
talk
about.
You
know
what
we
knew
amongst
ourselves
and
kind
of
use,
rather
than
also
just
raising
the
point
of.
We
should
build
a
road
map.
We
thought
you
know
putting
something
out
there
to
just
see
the
discussion
might
might
help
as
well,
but
I
I
would
love
to
help
just
drive,
building
that
Community
road
map
and
I.
G
Think
GitHub
project
sounds
like
a
great
place
to
to
have
that
I'm
wondering
Stephen.
If,
if
you
or
anyone,
you
know
would
be
willing
to
maybe
just
sit
down
with
me
for
half
an
hour
and
kind
of
go
through
the
mechanics
of
everything
you've
learned
before
in
setting
up
the
tooling
and
and
that
way
we
could
maybe
yeah
yeah.
You
know
kind
of
share
some
of
that.
K
Yeah,
let's
I,
think
I
can
do
something
later
next
week.
If
that's
cool
and
I'll
I'll
work
with
the
offline,
the
the
figure
out
times
that'd
be
great.
A
Awesome,
our
quick,
quick
notes.
You
know,
I
I,
applaud
this
I
put
in
the
notes,
a
couple
things
that
I
know
of
you
know.
Obviously,
in
the
open
ssf
side
you
know
with
Naveen
and
so
we're
trying
to
raise
up
the
test
coverage
to
80
at
least
80
percent.
One
challenge,
of
course,
is
that
you
know
test
coverage
raises
and
then
there's
new
functionality.
A
So
I'm
not
you
know
not
sure
how
we're
going
to
win
this
battle,
but
integrating
big
table
and
the
project
room
results
and
it's
I
don't
know
if
there's
a
way
to
do
this
in
a
road
map
but
but
a
way
to
show
not
the
big
step.
Amazing
stuff
like
get
lab
in
support,
but
you
know
adding
solely
more
CI
CD
systems
and
test
Frameworks
and
SAS
tools,
and
so
on
I
I,
you
know,
maybe
we
stick
a
flag
on
at
an
end
by
this
point.
This
is
what
we've
achieved,
but.
G
I
think
it's
a
great
Point
and
I
think
that's
always
kind
of
the
Perpetual
kind
of
back
and
forth
of
building
the
road
map
of
you
know
what
is
what
is
too
granular
and
what
is
big
but
I
think
Integrations
are
huge
for
our
adoption
right
now.
G
It
seems
like
everything
you're
mentioning
to
me
would
be
a
road
map
item
I
feel
like
anything
that
that
would
influence
how
someone
approaches
the
project
wants
to
participate
in
the
project
seems
Seems
like
a
pretty
credible
road
map
item,
but
I
think
we
we
get
the
community
discussion
started
and
then
we
can
kind
of
build
off
of
it
from
there.
B
Oh
okay,
yeah!
It's
just
that
when
I
was
trying
to
learn
scorecards
across
all
of
the
organizations,
as
it
was
just
like
struggling
with
a
few
things.
I
like
the
donation
thing
that's
going
to
help,
but
we
did
get
it
running
and
first
thing:
I
always
try.
This
is
like
let's
go
to
bigquery
and
then
I
run
into
the
issue
that
we
it's
like
a
cost
issue
and
we
can't
get
to
it
for
our
company.
D
I
can
I
can
answer
this,
so
what
we
have
a
transfer
job
that
transfers
data
the
to
the
the
scorecard
weekly
cron,
runs
on
one
point:
something
million
repos,
and
then
we
typically
get
data
from
store
our
Run
results
in
GCS
and
then
move
them
in.
C
D
Transfer
job
to
a
bigquery
table,
that's
like
publicly
queryable,
so
I
think
the
this
is
just
like.
We,
we
have
like
one
format,
that's
just
like
the
objects,
which
is.
H
D
D
Are
the
two
that
we
we
landed
on,
but
we
probably
could
support
other
transfer
mechanisms
or
maybe
like
work
with
you
to
get.
I
G
J
E
How
that
just
just
to
clarify
on
that,
where,
when
I
go,
when
I
call,
when
I
go
to
api.securitiescorecodes.bab,
is
that
pulling
the
data?
Is
that
just
another
way
to
pull
the
data
out
of
the
bigquery
database?.
D
That's
pulling
data
from
from
a
cloud,
storage,
I
believe
actually,
those
blobs
that
you
receive
from
cloud
storage,
okay,
yeah,
but
the
the
transfer
job
takes.
So
so
the
the
the
the
API
I
believe
well,
okay,
actually
I'm
I'm,
not
sure
about
that.
But
the.
K
Background
yeah
I
think
the
the
open
question
is
figuring
out
where
we're
passing
costs
off
to
the
customer,
and
if
we
can
not
do
that
right
because
the
I
mean
I
think
the
whole
point
of
of
having
this
infrastructure
in
place
and
making
a
publicly
queryable
system
is
so
that
people
have
open
access
to
do
so
so
Christine.
It
would
be.
It
would
be
good
to
better
understand
like
what
formats
would
be
useful
for
you
to
receive
the
data
in,
so
we
can
kind
of
work
backwards
from
there.
B
A
B
K
Yeah
so
I'm
hearing
I'm
hearing,
we
need
an
issue,
the
track,
if
we
don't
have
one
already
so
that
we
can
gather,
use
cases
and
gather,
acceptable
data
types
and
then
presentation
mechanisms.
E
I,
just
I've
dropped
a
link
to
a
little
toy
that
I
made,
which
is
a
go
program
that
goes
against
the
scorecard
API
that
pulls
out
scorecard,
given
a
particular
Pearl
package.
Url,
so
I
think
that
you
know
that's
a
a
kind
of
that
was
kind
of
like
a
demonstrator
and
we've
done
some
other
demonstrators
that
are
using
this
core
card
API
but
I
think
in
general.
That's
where
we
would
like
to.
We
would
like
to
start
developing,
and
you
know
we
don't.
We
don't
plan
to
like
be
making
live.
E
Queries
based
on
our
customer
queries
against
the
scorecard
API,
but
what
we
would
like
to
be
able
to
do
is
to
Harvard
be
able
to
harvest
data
from
that,
as
well
as
incorporating
the
like
the
library
itself.
So
that's
that
that's
but
but
I'm
happy
to
talk
more
about
that.
Those
plans
as
well.
Okay,.
F
I
think
it
a
little
bit
of
it.
I've
been
getting
started,
getting
engaged
with
six
store,
but
that
caused
me
to
cast
sort
of
a
wider
eye
on
what's
running
as
public
good
instances
and
a
lot
of
these
have
access
to
a
bunch
of
stuff,
and
so
the
next
question
I
have
is
okay.
You
know
how
you
know:
where
does
that
configuration
live?
K
Responsible
project,
this
yeah,
you
know:
how
can
we
I
agree
that
is
and
I
think
that
is,
you
know,
kind
of
it's
so
important.
You
know
I
think
again
pointing
at
kubernetes
we've
got.
You
know
there
is
the
Kate's
dot,
IO
repo
right
and
the
case.
Io
repo
will
show
you
exactly
like
the
terraform.
That's
used
to
deploy
the
project.
What
where
like
like
what
gcp
project
it's
living
in
the
the
access
to
the
like
the
IAM
lists,
who's,
a
part
of
those
lists
and
pointers
to
all
of
that
stuff.
K
So
it's
we
need
to
because
it
is,
is
community-run
instances.
It
would
be
good
to
have
Clarity
on
on
exactly
how
and
when
things
are
running.
D
D
We
I
don't
believe
so.
We
we
looked
into
this
a
little
bit
ago
but
like
for
for
us
Google
internally.
We
run
our
own
All-Star
instance
for
Google
repositories
and
then
there's
also
like
a
All-Star
public
instance
that,
like,
for
example,
like
openss
stuff
in
or
kubernetes,
projects,
will
be
we'll
use
a
public
good
All-Star
instance,
but
for
like
Google
specific
repository,
because
we
have
our
own
instance
as
well,
and
we
I
don't
think
any
of
us
have
access
to
the
openssf
All-Star
instance.
A
J
Don't
know
we
we
should
Evan
again
to
to
Bang
the
Drum.
Can
you
file
an
issue
for
this
sure
cool.