►
From YouTube: Scorecards Biweekly Sync (June 29, 2023)
B
A
C
A
D
D
A
A
G
A
I
I
got
it
it's
something:
that's
already
posted
that
in
chat.
So
what
I'm
going
to
do
is
I'm
going
to
add
them,
but
not
notify,
because,
yes,
because
we
don't
need
that
in
our
inboxes,
all
right
I
think
I
fixed
this.
However,
if
your
accesses
change,
you
need
to
click
on
reload
on
your
browser
to
get
the
new
permissions.
A
A
A
A
A
A
E
I
C
G
A
Excellent
excellent,
very
good,
all
righty
and
let's
see
here
all
right-
and
so
you
I
mean
if
I'm
gonna
play
the
facilitator
role.
I
guess:
I'm
gonna
walk
through
the
agenda,
which
is
I,
guess
announcements.
Do
we
have
any
any
introductions
or
in
particular
product
project
updates
things
that
have
you
know
not
non-trivial
stuff?
That's
changed
regarding
scorecard.
A
E
Yeah
so
I
hate
to
be,
as
I
said,
on
on
the
slack
I
hate
to
be
that
guy,
the
and
and
call
times
are
hard.
I
recognize
that
I
haven't
been
very
active
in
this
group,
so
it
but
I'm
hoping
that
my
eye
and
my
employer
will
be
more
active
in
this
community.
We're
heavily
centered
engineering
wise
in
in
Europe.
E
You
know
for
regular
regularly
scheduled
things
anyway
and
the
so
yeah
I'd
like
to
gently
suggest-
and
we
don't
have
to
you-
know
organize
it
here.
Maybe
maybe
we
could
take
it
to
a
doodle
poll
or
something
like
that,
but
I
I,
yeah,
I
I
think
it
would
be
generally
good,
not
just
for
me,
but
all
you
know
possibly
enable
or
why
be
more
inclusive
in
general
to
have
a
alternating
call
time.
K
So
my
my
teams-
I,
you
know
I'm
kind
of
going
through
this
exercise
with
a
bunch
of
different
teams
and
I
I
I,
occasionally
mentioned
to
the
maintainers.
This
is
like
Thursday
is
one
of
my
most
contested
days.
I
I
have
to
miss
this
meeting
so
frequently
and
I
don't
want
to
because
I'm
like
triple
ebooked
back
in
kubernetes
when
I
started
and
working
on
on
Sig
release.
K
We
had
a
question
about
why
the
release
team
meetings
were
always
in
in
the
U.S
specific
favorable
times
and
the,
and
there
was
no
specific
reason
for
it.
We
just
continued
to
do
it
until
we
realized
that
it
was
because
so
many
of
the
people
at
the
time
were
googlers
who
were
working
on
the
on
the
infrastructure.
So
it
was
just
a.
It
was
just
a
natural
artifact
of
that.
A
Yeah
I
mean,
as
far
as
I
think,
where
it
really
comes
down
to
is
scheduling's
hard.
So
once
a
meeting
gets
scheduled
unless
somebody
asks
nobody
wants
to
rock
the
boat,
but
I
think
this
is
a
good
time
to
rock
Boat
Rock
I
I
will
observe
that
many
many
of
these
open
ssf,
many
of
the
other
open
ssf
meetings
are
have
already
switched
to
like
alternating
times
to
try
to
make
it.
You
know
at
least
distribute
the
pain
a
little
more
evenly.
K
H
A
Right
times
with
maintainers
all
right,
so
let's
talk
about
how
we're
going
to
do
this.
You
know.
We've
certainly
done
a
lot
of
doodle
polls
to
work
out
better
times.
I
do
agree
that
would
make
it
would
be
simpler
if
we
could
Identify
some
ranges
to
start
with
that,
where
we
might
vote
on
and
then
work
on
the
details.
So
those
aren't
thinking
it
was.
You
know,
subtract
if
I
subtracted
six
to
eight
hours,
ish
and
and
set
up
a
double
doodle
poll
with
a
bunch
of
options.
K
I
would
say,
use
the
the
link
I
I,
sent
the
world
clock,
meeting,
planner
and
start,
and
so
so
I'm
I'm
New,
York
we've
got.
We've
got
folks
in
the
west
coast.
We've
got
folks,
it
sounds
like
we've
got
folks
in
the
we've
got
folks,
potentially
an
APAC,
our
folks
that
maybe
are
an
impact
that
can't
join,
because
it's
it's
that
it's
that
bad
of
a
time
so
I
would
I
would
start
with
you
know.
Maybe
we
do.
Maybe
we
do
USC.
K
H
A
They
absolutely
yeah,
that's
right,
that's
right!
So
I!
You
know
we
don't
have
to.
In
fact,
I.
Don't
think
that
we
can
pick
a
particular
time
right
now.
I
I
think
you
know
there
are
people
aren't
here,
I'm,
just
looking
for
a
range
and
then
we
can
set
up
a
doodle
poll
with
like
a
whole
bunch
of
options,
but
I,
don't
I
don't
want
to
set
up.
You
know
24
times
seven
blocks
or
24
times
five
blocks
of
possibilities.
C
J
J
H
A
F
A
I
A
A
E
A
E
E
The
only
time
that,
like
yeah,
that's
why,
in
one
of
the
other
groups
that
I'm
in
in
w3c,
we
alternate
our
plenary,
call
between
5
PM,
London
time
and
7
A.M
London
time
both
of
them
are
doable
for
me,
but
one
of
them
Works
doesn't
work
very
well.
The
5
PM
really
doesn't
work
well
for
Asia.
The
7
A.M
kind
of
is
painful
for
the
for
people
on
the
west
coast,
but
they
can
do
it.
So
it's
like
11
p.m.
I
I
think
someone
suggested
that
in
chat,
even
though
that's
not
business
hours
in
Asia
Pacific,
yes,
exam
Pacific,
even
though
that's
not
business
hours
in
Asia
Pacific,
you
people
in
Asia
are
used
to
having
meetings
at
those
times,
so,
whether
that's
India
or
China-
that's
typical
of
them
to
have
business
meetings
at
those
times
because
they're
frequently
working
with
teams
in
the
US,
so
it
wouldn't
be
unusual.
I
mean
to
for
them
to
attend
something.
C
I
K
K
I
know
that
if
someone
made
that
assumption
for
me,
I
would
just
not
attend
that
meeting
so
so
the
I
think
we
can
start
with.
If
we're
saying
that
this
time
is
good
for
us,
then
maybe
it's
fine
right,
but
it
looks
like
it's
right
so,
but
The
Sweet,
Spot,
somewhere
between
12
and
7,
is,
is
looking
to
be
where
we
have
at
least
one
meeting
that
connects
U.S
east,
maybe
some
of
U.S
Pacific
and
emea
right.
Then
there
is
a
second
meeting
that.
I
A
K
We
should
look
for
so
so
for
the
I'm.
Sorry
I
have
a
meeting
chat
in
the
way.
Sorry
so
so
for
Washington
London,
San
Francisco.
We
should
look
for
things
that
hit
in
that
yellow
and
and
green
area
right
for
everyone,
you
know
and
and
and
Tel
Aviv.
If
we
can,
if
we
can
pull
them
into
right
for
everyone
else,
like
one,
we
don't
make
the
decision
now
well
for
everyone
else.
A
K
E
E
H
E
F
K
San
Francisco
is
we're
like
we're,
maybe
less
concerned
with
them
right.
What
we're
trying
to
pull
in
is
more
of
the
MBA
side
right
so
like
the
first
one
would
be
like
U.S,
east
London,
Tel,
Aviv
right
and
you
get
a
time.
That's
that's
closer
to
their
green
and
yellow
windows,
and
then
you
focus
on
San,
Francisco
and
APAC
right
to
get
a
time.
That's
green
and
yellow
for
them
right,
and
we
have
maintainers
that
are
both
U.S
east
and
US
West.
So
we'll
have
coverage
in
both
of
those
meetings.
G
Going
just
to
just
to
complicate
things
further
is:
if
we,
if
we
don't
have
enough,
we
do
have
a
number
of
folks,
or
at
least
about
two
or
three
in
Sydney.
Now
that
want
to
start
working
more
on
the
project,
so
they're
I
was
looking
I
thought
they
would
be
close
enough
to
Beijing,
but
they're.
Also
right,
oh
really
well,
they're
about
they're
about
two
hours
offset
similar
to
Tel
Aviv
in
London.
G
K
H
A
A
E
E
You
know
they
saw
us
a
trace
from
somebody
who
was
using
scorecard
in
their
Pipeline
and
the
output
sent
somebody
off
to
a
URL
which
was
on
step
security.io,
which
is
like
a
commercial
product,
and
so
he
raised
an
alarm
with
me
and
he
said:
hey
wait.
Aren't
we
a
member
of
open
ssf?
Why
is
this
open,
ssf
thing
sending
something
somebody
to
a
competitor
I,
don't
know
that
step.
E
Security.Io
is
a
competitor
or
whatever,
but
it
kind
of
like
I
I
just
wanted
to
raise
it,
because
it
reminded
me
of
the
fact
that,
where,
in
the
SCM
best
practices
work,
that's
happening
in
the
best
practices
working
group,
we
Christine
and
I
are
working
with
legitify
I've
known
from
legitify,
who
actually
came
up
with
a
whole
bunch
of
remediation
steps
and
further
information
about
SCM
configuration
options
which
were
contributed
into
the
S.
The
open,
ssf
best
practices
working
group.
E
So
those
actually
are
sitting
in
that
that
in
that
GitHub
repo
right
now
and
we're
working
with
that
data
and
they're
and
they're,
you
know
so
so
they
so
one
suggestion
could
be.
Could
if
this
remediation
material
is
is
is
could
it
be
donated
to
open
ssf?
Is
there
some?
You
know
so
I
I
I'm
happy
to
help,
try
and
figure
out
what
the
answer
is,
but
I
think
it
would
be
better
from
a
vendor
neutrality
standpoint
for
scorecard
to
not
be
sending
people
off
to
third-party
commercial
sites.
I.
K
A
K
It's
it's
within
our
checks.
It's
within
the
scorecard
checks,
the
remediation
documentation
yeah
so
like
pinning
the
so
pinning
the
say
like
pinning
the
hashes
or
something
right
will
tell
you
like
hey
by
the
way.
If
you
want
something
that
will
generate,
you
know,
say
a
GitHub
actions
workflow
manifest
that
gives
you
pin
actions.
You
can
go
to
step
security,
so
usually
it
used
to
be
like
go
to
to
subsecurity.io
secure
repo
would
like
you
could
you
could
go
to
the
UI?
K
Stick
your
repo
and
or
copy
and
paste
your
workflow,
and
then
it
would
spit
out
it's
a
hard-end
workflow
for
you
right
and
now
I
think,
there's
some
some
other
redirects
in
place
that
that
take
you
to
that.
Take
you
to
the
main
company
site
so
but
yeah
there's
there's
something
to
fix
there.
Gotcha.
E
K
A
A
E
E
A
No,
no,
no,
it's
a
necessary
kerfuffle
and
that's
completely
different.
You
you,
but,
but
you
know
what
you
know
create
the
issue.
If
you
know
the
specific
locations
you'll,
let
us
know-
or
at
least
the
pattern
to
look
for
that.
Would
that
would
be
helpful.
I
mean.
Obviously
we
can
do
that,
but
the
the
the
more
information
you
give
us,
the
more
likely
we're
going
to
do
a
good
job
if
there
was
of
the
result,
if
that.
A
A
Okay,
I:
will
you
know
what
I
all
right
open?
If
you
wouldn't
mind,
create
the
issue
and
when
you
know
the
issue
number
stick
the
link
into
these
notes
and
that
way
everybody
knows
to
go
right
there,
and
this
is
not
a
you
know,
not
necessarily
done,
but
at
least
we've
started
awesome
excellent.
Thank
you
so
much
Dan.
This
is
the
kind
of
curve
fluffling
we
want.
E
Okay
and
while
I'm
well
I've
got
the
my
the
other
thing
that
I,
the
only
other
thing
I
put
on
the
agenda
was
I
just
wanted
to
put
this
this
AP
this
issue
or
pr3107,
which
is
one
that
I
made,
which
adds
the
data
license
David.
You
already
commented
on
that
and
said:
I've
gone
to
LF
legal
I
just
wanted
to
pop
my
head
up
and
say
yes,
I
I.
This
is
not
something
that
just
like
came
out
of
my
mind.
E
This
is
something
like
again
I'm
getting
questions
from
my
company
about
this,
and
this
is
why
I
you
know
were
so
it's
it's
it's
to
do
it's
something
important
for
us,
so
I'd
like
to
make
sure
that
it
it's
that
that
it's
clear
anyway,
what
what
the
what
the
license,
what
the
data
license
is,
is
associated
with
the
data
that
the
API
produces
not
to
do
with
the
open
source
license
of
what
you
know.
It's
a
it's!
A
D
Think
right
now
the
text
says
you
know
this
is
the
issue
please
go
to,
like
you
know,
update
It
Go
by
going
to
this
link,
so
we
could
definitely
change
it
or
we
can
make
this
even
like
more
more
modular,
like
those
things
would
be
in
our
control
to
do.
If
there
was
an
issue
and
I
wonder
if
maybe
the
or.
K
I
mean
so
yeah.
The
way
to
do
it
in
my
head
would
be
to
say:
okay,
we
know
what
the
link
is
right
and
we
know
that
it's
it's
step.
Security,
slash,
secure,
repo
I
think
is
the
is
the
repo
right.
Is
there
a
library
that
we
can
use
that
can
easily
derive
the
shot
like
one
of
the
things
that
it's
doing
for
remediation?
It's
like
it's
like
open
the
shots
right.
If
we
can
derive
the
Shaws
that
should
be
in
in
the
repo,
then
we
can
present
a
hey.
This
thing
should
be
pinned
here.
K
D
Yeah
like,
for
example,
like
I,
think
Rick
ratchet
may
do
something
similar
where
it
can
say
you
can
replace.
This
with,
like
you
know
like
here,
is
like
the
shot
that
you
should
pin
it
to
so
yeah
I
mean
like
the
like.
We,
we
can
change
the
messaging,
but
I
thought
what
I
understood
was
a
conversation
was
that
this
should
be
a
donation
which
we
can't,
which
isn't
like
an
issue
like
a
GitHub
issue
per
se.
More
than
like
a
conversation
that
could
be
had
or
something.
E
K
I
mean
yes,
I
mean
we
have
an
example
on
the
meeting
notes
right.
So
the
donation
of
the
visualizer,
for
example,
right,
is
one
thing
where
at
some
point
in
time,
a
group
of
people
decided
that,
like
hey,
this
is
functionality
that
could
live
in
Square
card
as
opposed
to
as
opposed
to
external
right
there's
another
one
scorecard
monitor
that
I
need
to
get
back
on.
But
it's
it's
really.
It's
part.
It's
part
conversation
at
some.
You
know
with
the
sem
best
practices
they
said
hey.
This
is
great.
K
Let's
move
this
closer
to
where
everybody's
going
to
be
looking
right.
So
this
is,
do
we
want
to
provide
the
functionality
of
what
should
happen
during
the
remediation?
We
definitely
don't
want
to
point
people
externally,
which
is
what
Dan
is
saying,
but
there
isn't.
There
is
a
middle
ground
where
we
can
provide
the
functionality
or
we
can
tell
people
how
to
derive
the
correct
answer
that
doesn't
involve
sending
them
to
a
corporate
site.
J
K
H
C
A
A
E
A
C
A
K
Can
we
step
back
for
a
second?
We
didn't
discuss
the
visualizer,
yeah
I'm,
sorry,
so
I
don't
know
who
logged
this
on
the
you
know
on
the
agenda,
but
I
will
say
that
my
apologies
for
dropping
the
ball
I'm.
The
one
who
suggested
this
and
reached
out
to
the
maintainer
and
I
need
to
pick
that
ball
back
up,
I've
been
working
on
a
bunch
of
policy,
generative
AI
policy
stuff
internally,
and
that
has
taken
up
a
decent
check
with
my
time,
but
I
have
assigned
myself
to
it.
K
I
will
reach
out
to
Ulysses
and
move
the
ball
forward.
I
have
a
note
that
I
already
sent
out
to
the
talk
about
what
the
process
should
be.
I,
don't
think
that
we
have
a
process
per
se
or
the
process
that
exists
today
may
be
heavy
weight
for
what
this
is
right.
So
the
process
today
is
effectively
to
present
a
project
to
the
tech.
K
I
would
consider
scorecard
to
be
the
project
that
already
exists
and
for
something
like
scorecard
Monitor
and
action
and
and
the
action
that's
associated
with
it
to
be
derivative
of
scorecard
so
I
I
would
I.
I
can
jump
through
the
Hoops
of
doing
the
current
tax
process,
for
the
sake
of
including
this
project
as
part
of
scorecard,
but
I
believe
there
should
be
a
lighter
weight
way
of
doing
that
for
projects
that
we
determined
that
are
fit
with
our
with
a
set
of
functionality
that
we
have.
A
K
Well,
this
would
be
this
would
be
new
repo,
a
migration
of
an
existing
repo,
so
I
and
I
I
pointed
the
the
talk
conversation
I
pointed
to
suggesting
that
we
pick
up
something
lightweight
like
the
kubernetes
process
or
absorbing
donated
projects
right
so
effectively.
What
would
happen?
Is
we
work
with
the
the
maintainers
to
migrate
their
repo
into
the
open,
ssf
org?
We
get
a
team
going
right.
We
get
a
team
going,
we've
been
in
that
team
to
admin
and
maintain
our
rights.
K
A
Yeah
I
am
definitely
not
big
on
heavyweight
processes.
I
do
want
to
make
sure
people
are
informed,
though
scorecard's,
actually
within
the
best
practices
working
group,
so
I
think
we
need
to
at
least
get
you
know
hey.
This
is
the
proposal
and
the
issues
I'm
expecting
zero
problems,
I
think
technically.
Typically,
we
have
raised
it
up
to
the
attack,
but
usually
that's
been
a.
We
have
already
made
this
decision,
not
a
request
for
approval,
but
we
do
need
to
at
least
bring
it
up
to
the
working
group.
I'm
expecting
zero
issues.
A
J
K
J
A
J
A
Is
you
bring
it
to
the
working
group,
they
say
yay
or
nay,
they
you
know
and
then
there's
there's
an
ambiguity
about
whether
or
not
the
tax
has
to
approve
or
just
simply
be
notified
and
the
other
issue
which
people
don't
normally
see
is
the
LF
does
have
to
check
license
if
you're,
Apache,
20
or
MIT
it's
a
non-issue.
If
it's
a
common
open
source
license,
we
may
have
to
get
permission.
It's.
A
K
A
Exactly
if
they're
Apache
tour
MIT
the
copyright
issues
Journal
disappear
unless
somebody's
claiming
that
that's
that
that
did
something
illegal
which
we've
never
have
to
happen,
but
you
know,
and
the
other
is
trademark
you
know.
So
basically
we
need
to
just
ask
hey:
are
there
patents
trademarks,
any
issue
issues
and
almost
never
actually
happens,
but
we
have
to
ask
the
question.
K
A
A
K
A
G
Yeah
great
that
one's
mine,
this
is
an
item
that
I
wanted
to
both
just
try
to
make
the
group
more
aware
of
but
kind
of
where
some
of
the
folks
who
work
on
this
project
from
the
Google
side,
where
they're
thinking
you
know,
plans
that
they
have.
It
was
really
born
out
of
a
question
that
that
I've
gotten
when
I've
been
at
different
conferences
and
I'm
talking
about
scorecards
a
common
question.
G
Is
you
know
what
what
does
that
project
roadmap
really
start
to
look
like,
and,
while
you
know,
I
couldn't
quite
sit
down
with
everyone
in
the
group
for
a
first
pass.
What
I
did
do
is
sit
down
with
a
few
Folks
at
Google
to
talk
about.
What's
work
that
we're
really,
you
know,
planning
to
contribute
to
the
project.
What's
other
work
that
we're
aware
is
is
going
to
happen,
and
so
this
is
very
much
a
first
pass
at
that.
G
G
And
I'll
start
first
with
just
a
couple
of
notes:
the
one
kind
of
frame
of
frame
of
mind
that
we've
been
taking
is
that
this
is
much
more
of
a
forecast
than
an
actual
plan.
You
know
these
aren't
hard
committed
dates.
These
are
when
we're
forecasting
certain
pieces
of
work
to
get
done.
It
would
be
nice
if
they
all
got
done
at
roughly
those
times,
but
well
we're
kind
of
feeling
it
out.
G
At
this
point,
you
know
it's
very
much,
not
exhaustive,
just
things
that
that
are
on
the
radar
right
now
things
that
you
know
we're
generally
planning
and
then
Our
rough
criteria
of
you
know.
How
is
how
is
this?
Not
just
every
idea
we
have.
You
know
it's,
it's
idea,
plus
the
ability
to
make
an
engineering
commitment
behind
it
and
so
without
further
Ado
everything
that
fit
those
criteria
we
put
just
along
a
2022
timeline
and
then
started
to
just
throw
some
different
things
into
the
2024
plus
group
as
well.
G
We've
got
things
like
structured
results,
which
is
a
project
that
we
know
that
we
need
to
vet
with
the
larger
group,
but
it's
the
idea
of
seeing
if
we
can
make
scorecard
a
little
bit
more
flexible
for
some
organizational
cases,
something
that's
related
to
that.
Maintainer
annotations,
giving
maintainers
the
ability
to
you
know
basically
establish
a
bi-directional
communication
mechanism
and
say
I
see
this
score,
but
here's
some
additional
context.
G
That
might
be
helpful
if
you,
if
you
see
a
low
score
here,
here's
some
other
things
to
evaluate,
and
then
you
know
also
something
that
would
mean
a
good
healthy
amount
of
discussion.
Is
some
ecosystems
have
more
or
less
best
practices
that
would
apply
more
to
their.
You
know:
go
ecosystem
or
python
ecosystem.
G
Having
really
having
that
discussion
in
terms
of.
Does
this
make
sense
to
to
kind
of
try
to
break
down
scorecards
a
little
bit
more
so
that
they
fit
specific
ecosystems?
Is
that
item?
And
then
you
know
I
know
we're
short
on
time,
so
I'm
not
going
to
go
through
all
of
the
2020
or
plus
items
here,
but
you
know,
there's
a
general
theme
of
trying
to
just
expand
features.
G
So
again,
a
starting
point
from
some
of
the
work
that
the
folks
on
on
Google's,
open
source
security
team
are
looking
at
I.
Think
there's
another
whole
discussion
over.
You
know
what
would
be
effective
tooling
for
a
road
map
building
or
for
road
map
building
across
a
project
like
this,
but
for
now
feedback
would
be
greatly
appreciated
and
if
there
are
things
that
you
were
really
planning
on
making
sure
that
go
into
the
road
map
or
things
that
you're
already
planning
to
do.
Let's
definitely
talk
about
those
I
think
the
dream
would
be.
G
F
J
K
Kubernetes
not
on
again
my
release.
Team
has
worked
on
some
automation
around
GitHub
project
boards
for
the
CI
signal
and
kind
of
release,
visibility
stuff.
It
would
be
good
to
see
what
we
could
leverage
from
that.
Definitely
because
we,
because
we
use
old
project
boards-
and
there
was
a
CI
signal
report
and
we
did
a
whole
bunch
of
stuff
and
we're
like.
Can
we
just
make
this?
Can
we
just
make
this
like
once?
K
This
is
when
GitHub
project
was
in
beta
and
now
that
it
now
that
it
is
the
thing
to
use
we
can
we
can
do
a
bit
of
tweaking
and
see
if
we
can
pull
in
any
of
that
too
I
would
say
from
the
roadmap
perspective
I.
You
know
right
at
the
end.
You
said
the
point
that
I
was
like
gonna
raise
my
hand
for
how
can
we
abstract
this
into
a
community
roadmap
as
opposed
to
Google
based
roadmap
right
and
sure
we
may
have
googlers?
K
Who
would
be
the
executors
of
of
the
of
those
those
things
that
are
of
interest
to
Google
and
partnership
with
with
other
folks
in
the
scorecard
contributor
pool?
But
but
you
know,
then,
at
least
if
we,
if
we
bless
this
as
a
this,
is
a
provisional
Community
roadmap.
We
can
present
this
to
people
who
are
on
the
mailing
list,
people
who
are
in
the
best
practices
group
and
say
what
do
you
think
is
missing
and
who's
going
to
come
in
and
and
and
and
put
hands
on
keyboards
to
get
it
done.
G
We
very
much
have
a
shared
Vision
on
wanting
the
community
roadmap.
The
reason
we
we
started
with
us
is
because
it
was
quick
just
to
sit
a
few
folks
down
talk
about.
You
know
what
we
knew
amongst
ourselves
and
kind
of
use,
rather
than
also
just
raising
the
point
of.
We
should
build
a
road
map.
We
thought
you
know
putting
something
out
there
to
just
see
the
discussion
might
might
help
as
well,
but
I
I
would
love
to
help
just
drive,
building
that
Community
road
map
and
I.
G
Think
GitHub
project
sounds
like
a
great
place
to
to
have
that
I'm
wondering
Stephen.
If,
if
you
or
anyone,
you
know
would
be
willing
to
maybe
just
sit
down
with
me
for
half
an
hour
and
kind
of
go
through
the
mechanics
of
everything
you've
learned
before
in
setting
up
the
tooling
and
and
that
way
we
could
maybe
yeah
yeah.
You
know
kind
of
share
some
of
that.
K
A
Awesome,
our
quick,
quick
notes.
You
know,
I
I,
applaud
this
I
put
in
the
notes,
a
couple
things
that
I
know
of
you
know.
Obviously,
in
the
open
ssf
side
you
know
with
Naveen
and
so
we're
trying
to
raise
up
the
test
coverage
to
80
at
least
80
percent.
One
challenge,
of
course,
is
that
you
know
test
coverage
raises
and
then
there's
new
functionality.
A
So
I'm
not
you
know
not
sure
how
we're
going
to
win
this
battle,
but
integrating
big
table
and
the
project
room
results
and
it's
I
don't
know
if
there's
a
way
to
do
this
in
a
road
map
but
but
a
way
to
show
not
the
big
step.
Amazing
stuff
like
get
lab
in
support,
but
you
know
adding
solely
more
CI
CD
systems
and
test
Frameworks
and
SAS
tools,
and
so
on
I
I,
you
know,
maybe
we
stick
a
flag
on
at
an
end
by
this
point.
This
is
what
we've
achieved,
but.
B
Oh
okay,
yeah!
It's
just
that
when
I
was
trying
to
learn
scorecards
across
all
of
the
organizations,
as
it
was
just
like
struggling
with
a
few
things.
I
like
the
donation
thing
that's
going
to
help,
but
we
did
get
it
running
and
first
thing:
I
always
try.
This
is
like
let's
go
to
bigquery
and
then
I
run
into
the
issue
that
we
it's
like
a
cost
issue
and
we
can't
get
to
it
for
our
company.
C
C
D
H
I
G
J
E
D
K
Background
yeah
I
think
the
the
open
question
is
figuring
out
where
we're
passing
costs
off
to
the
customer,
and
if
we
can
not
do
that
right
because
the
I
mean
I
think
the
whole
point
of
of
having
this
infrastructure
in
place
and
making
a
publicly
queryable
system
is
so
that
people
have
open
access
to
do
so
so
Christine.
It
would
be.
It
would
be
good
to
better
understand
like
what
formats
would
be
useful
for
you
to
receive
the
data
in,
so
we
can
kind
of
work
backwards
from
there.
B
A
B
E
I,
just
I've
dropped
a
link
to
a
little
toy
that
I
made,
which
is
a
go
program
that
goes
against
the
scorecard
API
that
pulls
out
scorecard,
given
a
particular
Pearl
package.
Url,
so
I
think
that
you
know
that's
a
a
kind
of
that
was
kind
of
like
a
demonstrator
and
we've
done
some
other
demonstrators
that
are
using
this
core
card
API
but
I
think
in
general.
That's
where
we
would
like
to.
We
would
like
to
start
developing,
and
you
know
we
don't.
We
don't
plan
to
like
be
making
live.
E
Queries
based
on
our
customer
queries
against
the
scorecard
API,
but
what
we
would
like
to
be
able
to
do
is
to
Harvard
be
able
to
harvest
data
from
that,
as
well
as
incorporating
the
like
the
library
itself.
So
that's
that
that's
but
but
I'm
happy
to
talk
more
about
that.
Those
plans
as
well.
Okay,.
F
I
think
it
a
little
bit
of
it.
I've
been
getting
started,
getting
engaged
with
six
store,
but
that
caused
me
to
cast
sort
of
a
wider
eye
on
what's
running
as
public
good
instances
and
a
lot
of
these
have
access
to
a
bunch
of
stuff,
and
so
the
next
question
I
have
is
okay.
You
know
how
you
know:
where
does
that
configuration
live?
K
Responsible
project,
this
yeah,
you
know:
how
can
we
I
agree
that
is
and
I
think
that
is,
you
know,
kind
of
it's
so
important.
You
know
I
think
again
pointing
at
kubernetes
we've
got.
You
know
there
is
the
Kate's
dot,
IO
repo
right
and
the
case.
Io
repo
will
show
you
exactly
like
the
terraform.
That's
used
to
deploy
the
project.
What
where
like
like
what
gcp
project
it's
living
in
the
the
access
to
the
like
the
IAM
lists,
who's,
a
part
of
those
lists
and
pointers
to
all
of
that
stuff.
K
D
D
We
I
don't
believe
so.
We
we
looked
into
this
a
little
bit
ago
but
like
for
for
us
Google
internally.
We
run
our
own
All-Star
instance
for
Google
repositories
and
then
there's
also
like
a
All-Star
public
instance
that,
like,
for
example,
like
openss
stuff
in
or
kubernetes,
projects,
will
be
we'll
use
a
public
good
All-Star
instance,
but
for
like
Google
specific
repository,
because
we
have
our
own
instance
as
well,
and
we
I
don't
think
any
of
us
have
access
to
the
openssf
All-Star
instance.