►
From YouTube: Scorecards Biweekly Sync (September 22, 2022)
A
Can
everyone
see
my
screen,
yes,
okay,
cool,
so
should
we
go
ahead
and
start
then
I
think
it's.
B
For
four
minutes
past
the
hour,
I
suddenly
say.
B
Oh
yeah,
we
submitted
a
talk
proposal
to
that's
the
the
School
contact
proposal
that
got
accepted
I
wanna
I
don't
want
to
edit
that
link
on
that
specifically
Brian
from
Google
and
I
similar
talk
proposal
in
the
Linux
Foundation
member
Summit
and
it
got
accepted
it
just
won't.
Let
everybody
know
about
that.
That's
my
individual
update
on
that.
A
Cool
congrats
cool,
so
if
nobody
else
has
any
other
individual
updates,
let's
move
on
to
the
agenda
items
for
this
week
and
also
briefly
I
forgot
to
introduce
myself
so
I'm
raghav
I
work
at
Google
on
scorecard,
okay,
so
now
agenda.
B
But
yeah
right
pull
down
a
little.
Please!
Yes,
yes,
okay,
perfect!
So
so
we
have
scorecard
API
right
now.
My
proposal
is.
B
We
don't
have
weight
or
the
API
is
great,
because
now
we
are
able
to
get
all
the
information,
but
we
don't
have
way
to
fetch
any
of
the
historical
data.
The
historical
data
is
in
a
big
big
query.
We
have
about
35
million
records
in
that,
so
people
are
jumping
through
hoops
to
get
that,
so
my
proposal
is,
and
also
there
are
two
things
to
it.
One
is
historical
data.
Another
one
thing
is,
we
also
run
scans
every
week.
B
We
take
commercials
and
we
we
add
them
to
our
our
our
data,
set
that
we
store
in
our
in
our
buckets
with
commercial.
Also,
the
problem
is
our
end.
Consumers
aren't
aware
of
what
scans
they
can
go
pick
up.
So
the
problem
with
that
is,
they
always
get
the
latest.
They
always
get
the
tip.
B
My
proposal
is
very
similar
to
depth.
Star
Dev
The
Depths
are
dev,
has
a
proposed,
has
an
option
called
scan
dates,
which
essentially
adds
all
the
scan
dates
and
then
essentially
people
consumers
can
use
credit.
That's
candidate.
Get
a
lot
of
scan
dates
then
use
those
scan
date
to
add,
as
ADD
as
an
additional
parameter
to
the
data.
That
is
there
that
they
can
fetch.
This
gives
an
option
to
two
things.
One
is:
it
gives
an
option
to
get
historical
data
which
is
in
the
bigquery
table.
B
I'll
talk
about
how
to
get
that
into
buckets
so
that
apis
can
people
using
API
can
access
that
the
I
want
to
initially
talk
about
the
second
one,
so
we
just
essentially
on
every
scan
at
the
end
of
the
scan,
we
can
add
update
that
information
of
when
the
last
scan
date
was
it's
a
running
list
so
that
we
can
utilize.
B
We
also
store
ask
we
can
all
we
should
also
store
our
results
with
the
scan
date
so
essentially
like
how
we
store
with
the
command
Shah
and
the
last
one
that
I
want
to
talk
about
is
take
all
this
bigquery
data
dump
it
into
the
buckets
so
that
we
can
get
the
historical
data.
In
that
that's.
My
proposal.
B
So
I'm
thinking
today,
anybody
anybody
has
thoughts
comments.
Things
is
a
bad
idea.
C
D
A
C
It
work
right
now,
the
API
is
there
a
single
bucket.
B
It's
a
single
bucket
with
multiple
docs
like
multiple
folders.
We
take
every
scan,
we
store
it
with
the
connection
we
store
it
with
the
latest
and
we
also
store
with
Raw
results,
restore
and
multiple
paths.
The
same
the
same,
the
Rogers.
Those
are
different
from
that,
but
we
store
that
in
all
in
a
single
bucket.
C
All
right
so
I
guess
you
talk
about
going
back
with
a
one-off
job
to
dump
historical
data
into
like
a
date,
prefix
path,
but
other
than
that
going
forward.
It's
not
like
it's
any
more
data
right,
no.
B
Going
forward
is
every
time
we
run
historical
scan
like
every
time
we
run
a
Quran
job.
We
take
that
data,
we
dump
it
into
the
bucket
that
every
time
we
dump
it
in,
we
also
added
prefix
of
the
date
that
we
do
that
so
essentially,
historical
data
and
any
new
data.
B
And
I
also
check
does
buckets,
have
any
size
limitations,
the
buckets
doesn't
have
any
size
limitation.
The
buckets
have
only
size.
Animation
of
a
single
file
cannot
be
larger
than
five
terabyte.
That's
the
only
thing
but
Buck
itself,
essentially
infinitely
scalable.
So
so
we
don't,
we
I,
don't
think
we
are
going
to
hit
that
limit
pretty
soon.
A
And
what
what's
the
motivation
to
use
dates
over
shop,
Okay.
B
So
so
great
question,
so
if
I
am
an
end,
user
like
I
want
to
know
how
is
kubernetes
doing
so,
I
want
to
know
how
kubernetes
progressed
over
the
last
six
months
or
last
two
years
so
I
can
go.
Ask
hey,
give
me
all
the
commit
shots
that
you
have
that
you
have
done
the
with
the
issue
with
that
is.
B
We
have
to
maintain
common
shots
free
for
a
million
repositories,
oh
1.2
million
repositories
and
given
an
index
for
each
one.
What
are
the
temperature
as
we,
which
we
store
on
it's
a
great
thing
that
we
can
do
the
easier
option
is
to
say
every
time
I
run
a
historicals
when
I
every
time,
I
run
a
cranja
that
happens
once
a
week
I'm
going
to
keep
a
list
only
one
single
list,
which
is
all
the
dates
that
I
ran
the
Quran.
B
E
Yeah,
so
it's
my
understanding
that,
like
the
API
was
made
just
to
get
the
latest
essentially
due
to
you
know
wanting
like
to
be
simple
and
just
do
what
we
could
do
at
that
point
in
time.
E
Yeah
I
think
it's
totally
understandable
that
that
people,
you
know
as
the
next
more
expanded,
full
featured
API.
You
could
get
historical
data.
E
B
I
want
one
two
things
on
this:
I
want
people
to
tell
me
if
I'm
wrong
in
the
stop
process
and
technically
I
still
haven't
dived
like
I
just
gave
an
overview.
I
didn't
say
how
I'm
gonna
do
that,
like
which
kind
of
says
how
it
is.
But
those
are
my
thought
processes.
So
more
technical
I
want
to
say
why
this
will
add
value
and
do
people
see
it
as
a
not
a
good
Solution
on
this.
B
B
That's
one
file
where
I
need
to
manipulate
that.
That's
one
file
taking
the
existing
data
and
dumping
it
into
into
that's
a
that's
a
job.
That's
a
one-up
job
that
I
have
to
write
to
take
all
of
the
35
million
entries
and
write
that
into
bucket.
That's
that's
a
little
time
that
is
a
that
is
a
that,
may
be
a
little
more
than
a
little
more
work.
It's
not
a
single
file,
change.
B
Right
right,
I'm,
gonna,
I'm,
gonna
I'm,
also
gonna
hit
that
hit
up
Laurent
and
nazim
too,
because
okay
same
is
obviously
done
too
much.
Work
on
this
I
want
his
critique
and
say:
hey,
there's
a
problem
here:
I
want
that's
that's
the
reason.
I
brought
this
up.
I
will
tag
him
I'll,
take
them
up
in
slack
to
make
sure
I
get
a
buy-in
before
I
go
down
the
rabbit
hole
of
trying
to
implement.
This
sounds
good.
Okay,.
E
B
B
B
The
next
one
I
wanted
Lauren
to
be
on
the
skull.
Oh
yeah,
but
I'll
just
bring
it
up.
It's
not
there's
this
feature
that
Aiden
worked
on
specifically
bringing
in
dependency
def.
This
was
being
this
motivated.
B
This
motivated
me
to
implement
that
API
that
right
now,
prior
to
that,
I
talked
about
how
to
go
fetch
the
data
that
we
have
it
in
a
bucket
some
of
the
work-
and
this
is
a
phenomenal
feature
that
for
people
folks
who
don't
know
this
helps
if
anybody
does
any,
for
example,
in
at
least
in
go.
This
was
implemented.
B
It'll
show,
if
you
add
a
new
dependency
or
update
an
existing
dependency,
and
what
is
the
the
scorecard
score
for
that
dependency
would
show
up
in
your
PR,
which
is
a
great
feature
to
say.
Okay,
if
I
have,
if
I
have
a
dependency
that
has
it's
not
being
maintained,
should
I
add
that
or
not.
This
is
an
avatar,
but
this
will
add
to
your
PR
it'll
comment
on
your
PR,
so
I
was
thinking
of
I
want
to
talk
about.
Where
is
it?
Where
is
what's
happening
on
this
feature?
B
B
And
there
are
about
three
or
four
PRS
that
are
open
and
pending
couple
here,
a
couple
in
the
actions
repo.
So
that's
why
I
want
to
talk
about
this
specifically
because
it's
almost
still
it's
roughly
about
three
months
old,
this
PRS
nothing
has
happened.
Code
is
beating
away,
I
want
to
make
sure
we
don't
lose
track
of
this,
and
this
will
again
add
a
lot
of
value
to
our
end,
consumers
to
say:
hey
if
I
add
a
new
dependencies
am
I
getting
these
all
of
their
Flying
Blind.
B
B
C
I'm
sure
he'll
be
fine
with
you
picking.
B
It
up
yep
so
and
I
also
wanted
to
know.
There's
a
there's.
A
big
thread
in
this
PR
I
want
to
make
sure
that
we
have
a
consensus
of
what
is
that
that
is
blocking
this
BR
from
merging
in
it's
easier,
sometimes
to
talk
rather
than
just
be
on
a
PR,
and
that's
why
I
brought
this
up
as
an
issue
over
here.
B
B
I
want
to
know
this
new
dependencies
score
for
the
examples
only
for
vulnerabilities
or
for
maintenance.
I
want
to
know
that
before
I
bring
this
in
now
it
could
be
that
or
any
of
the
transitive
dependencies,
because
that
is
the
biggest
problem
that
we
are
Flying
Blind.
With
this
feature,
it
will
add
tags
it'll,
add
comments
on
your
PR
to
say
Hey
you
are
violating
or
any
of
that,
and
then
you
can
mark
them
as
required,
and
now
you
have
better
kids
on
stopping
bad
dependencies
from
getting
into
your
code.
B
B
I
already
hit
up
Laurent
on
this
and
I
will.
I
will
probably
talk
to
him
again
thanks
so.
F
Okay,
so
you
know,
as
of
now
in
scorecard
for
a
couple
of
checks.
It
points
to
this
tool
and
what
I
want
to
talk
about
today,
some
improvements
here.
So
you
know
this
is
further
dependency
pinning
and
today
what
happens
is
that
you
know
users
get
redirected
here
and
they
can
fix
their
workflow
file.
So
let's
say
you
know,
I
paste
my
workflow
file
here
and
click
on
secure
workflow.
F
Then
it
you
know
basically
fixes
it
and
then
they
can
copy
it
and
use
it
and
the
you
know
this
is
good,
but
one
of
the
problems
here
is
that
they
have
to
do
this
for
multiple
workflows
or
multiple
files,
and
you
know
that
just
requires
some
repetitive
work.
So
the
the
update
that
I
wanted
to
talk
about
is
this
feature
where
you
can
actually
scan
a
whole
repo
and
then
you
know
create
a
pull
request.
F
And
you
click
on
analyze,
so
it
you
know
it
analyzes
the
workflows
in
that
Repository
and
it
basically
does
the
same
thing
as
the
previous
page,
but
it
allows
you
to
fix
across
workflow
files,
and
you
know
so.
Let's
say
if
I
want
to
again
pin
actions
and
I
choose
two
of
them.
Then
I
can
click
on
create
a
pull
request
and
what
what
happens
here
is
that
you
know
this
folks,
the
repository,
so
this
stuff
only
works
for
public
repositories,
and
you
know
it
doesn't
require
installing
any
app.
F
So
it
sort
of
Forks
the
repo
and
creates
the
full
request,
and
so
this
is
what
it
looks
like
once.
The
pull
request
is
created.
F
Yeah,
so
that's
actually
the
same
as
what
the
current
behaviors.
If
I
click
on
preview,
it
basically
goes
back
to
the
same
page:
okay,
okay,
yeah.
Actually,
let
me
do
for
the
printing
one.
So
here
it
you
know
it
basically
goes
here
and
it
uses
the
same.
You
know
feature
of
this
to
show
the
preview.
B
F
And
let
me
actually
show
you
one
of
the
so
this
is
actually
where
you
know
one
of
the
open
source
maintainers
actually
used
it
in
flutter,
Gallery
repo-
and
you
know
this
is
where,
for
example,
multiple
files
are
fixed
together,
so
yeah.
So
this
is.
B
Why
don't
you
go
back
to
that
PR?
Can
you
go
back
to
that?
Pr
oud?
Can
you
can
you
click
on
the
conversation
I'm
gonna
I'm
gonna,
look
at
some
things:
scroll
down,
it'll
be
nice.
If
you
can
like
like
sign
your
com
comments
because
from
the
bot,
because
right
now,
I'm
more
I'm,
just
adding
it
as
a
feature.
More
and
more
things
are
looking
for
sign
comments
so
that
you
it's
for
two
things:
one
is
it
avoids
not
being
manually
signed?
B
So
if
you
sign
it
that'll
be
a
good
feature,
but
this
is
cool,
yeah
and
I.
Also
like
it,
you
you
made
it
to
individual
comments
so
that
I
can
cherry
pick
any
of
the
comments
that
I
want
I.
If
I
disagree
to
some
of
that,
that's
really
nice
that
you
had
it
as
individual
files.
F
Yeah
I
think
this
is
a
you
know:
good
feedback
about
that
dco
stuff,
so
yep
definitely
add
that
and
one
of
the
things
you
know
that
that.
B
B
F
Yep,
it's
basically
in
addition
to
you
know
that
initial
page
yeah
basically
use
the
same
apis,
but
instead
of
you
know
doing
one
file
at
a
time.
It
basically
calls
you
know
for
multiple
files,
yeah
and
you
know
in
terms
of
creating
a
pull
request.
So
it
only
allows
one
to
do
that
if
you
have
already
contributed
to
that
Repository.
F
So
you
know
it's
like
that
is
a
sort
of
check
built-in
so
forth.
It
only
works
for
public
repositories,
but
even
then
you
know
so,
let's
say
if
I
put
in
something
where
I've
never
contributed
before
it
will
not.
Let
me
create
a
pull
request
and
the
idea
is
to
just
you
know,
have
some
yeah.
Otherwise
people
might
just
go
and
create.
You
know
thousands
of
VR,
so
I
mean
I'm
open
to
feedback
on
that
as
well,
but
that's
a
check
in
it
right
now.
F
Now
some
of
the
other
things
you
know
that
are
coming
up
here
is
that
We've
also
recently
added
updating.
It
depend
about
config
file,
you
know,
and
that's
also
a
scorecard
check.
So
let's
say:
if
you
have
it
depend
about
file
and
that
does
not
update
some.
You
know
some
of
the
ecosystem
things
like.
F
Maybe
it's
not
updating
action,
then
that
will
also
show
up
you
know
in
the
near
future
and
similarly,
for
example,
if
you
have,
if
you
don't,
have
a
static
analysis
tool,
you
know,
so
those
are
some
things
that
will
it'll
start
showing
that
you
know
you
can
update
your
depend
about
file.
You
can
update
your
ad,
you
know
it's
a
code
ql
or,
and
that
that
you
know
I
think
we
have
to
figure
out
based
on
the
language.
F
Okay,
and
also
you
know,
there's
this
other
thing,
which
is
where
you
can
actually
see
the
scorecard
score
across
repositories,
and
you
know
that's
something
that
I
actually
wanted
to
demo
in
the
Alpha
Omega
meeting
and
you
know
in
there
there
I
was
told
that
maybe
I
should
talk
about
that
in
the
school
card
meeting
or
the
securing
critical
projects.
F
B
F
Yeah,
you
know
how
in
depths.the
Dev
you
can
see
the
score,
but
but
you
have
to
see
for
individual
repositories
right.
So
so
you
have
to
go
and
but,
for
example,
let's
say
I
wanted
to
look
at
it
for
my
org
yeah
and
you
know,
I
want
to
increase
my
scorecard
score
for
the
whole
org
and
I
want
to
just
just
have
a
view
for
my
org.
Then
you
can
use
that
I
can
actually
I'm.
Have
this
open
here
for
just
like
a
test
org
you
see
if
I
can
bring
that
up
yeah.
F
F
Assume
it'll
actually
bring
you
to
that
same
page
that
we
saw
yeah
this
sort
of
page
so,
but
these
are
just
things
at
a
different
level
of
abstraction
right.
So
there
is
a
page
where
you
can
fix
a
workflow,
but
then
you
can
fix
multiple
workflows
in
a
repo,
and
this
one
is
just
at
a
next
level
where
you
can
see
at
an
org
level,
but
this
is
something
which
is
not
like:
it
has
to
be
set
up
for
an
org,
it's
not
it's
not
set
up
for
All,
Odds
and
I
was
hoping
to.
F
D
F
F
B
B
Them
if
the
historical
stuff
comes
in
it
opens
a
big
can
of
worms
like
people
are
gonna
use
that
to
do
a
lot
more
people
like
graph
a
lot
with
historical
data,
especially
if
it's
in
then
they
can
use
Python
fancy
packages
instead
of
jumping
through
hoops
to
get
that.
That's
my
thought,
process
cool,
very
nice.
F
How
to
make
this
sort
of
available
to
the
to
the
you
know
to
the
projects
that
might
want
to
use
it
at
an
org
level.
I'm
also
trying
to
do
a
similar
demo
in
the
alpha
omega
meeting.
B
If
you
use
the
API,
then
actually
you
would
be
able
to
can
you
is
that
is?
Is
this
hosted
in
your
in
your
like?
What
I'm
trying
to
ask
is
if
you
use
the
scorecard
API
public
API,
now
it's
only
two
API
or
not
two
like
there
are
scorecard
API
calls
and
GitHub
API
call
to
say
get
me
a
repositories
for
within
this
organization
and
all
of
a
sudden
you
mismatch
them.
You
got
this
page,
you
don't
need
to
run.
You
don't
need
to
keep
any
State
per
se.
You.
B
Actually,
this
will
be
a
great
project
to
host
within
openssf,
because
now
every
organization
can
go
get
the
score.
This
would
be
a
great
project
of
Hope.
Sorry
I
didn't
mean
to
take
away
what
you're
doing
Varun,
but
but
I'm
trying
to
think
for
a
little
higher
level
as
to
what
every
organization,
if
they
want
to
come,
and
do
this,
how
they
can
utilize
this
or
if
you
want,
if
you
want
to,
if
you
want
to
propose
this
as
a
solution
to
open
ssf,
do
a
that'll
be
able
to
be
great.
F
Yeah
I
think
you
know,
one
of
the
things
is:
how
quickly
can
this
be
set
up
for
an
org,
and
you
know
who
who
should
be
able
to
access
so
right
now?
You
know
only
I
can
access
this,
because
this
is
for
my
org
right.
So
it's
been
set
up
that
way.
I
don't
know
if
it
should
be
open.
Why.
B
Do
you,
why
do
you
have
to
set
it
up?
Because
if
I
can
do
one,
let's
assume
I'm
picking
only
100
repositories
for
an
organization
from
GitHub?
Let's
assume
keeping
it
that
simple
the
use
case,
I,
don't
need
to
manually
set
up
I
go.
Do
one
get
up,
API
call
get
me
all
repositories
they
take
that
100
do
100
calls
to
scorecard
API
with
101
API
calls
I.
Have
this
page
I
don't
need
to
set
up
anything
on
the
fly
it
can
be
done.
B
Fundamentally,
the
more
open
you
are
because
that's
the
whole
idea,
that's
the
fundamental
reason
scorecard
is
pushing
data
open
for
everybody
to
consume
you're,
going
to
make
it
harder
by
making
it
harder.
It's
not
going
to
get
secure.
Might
as
well
tell
there's
a
problem
by
showing
people
what
the
problem
is.
That's
my
take.
F
A
So,
if
that's
for,
should
we
move
on
to
the
next
one?
D
A
D
Was
this
one
that
was
mine?
Can
you
guys
hear
me.
D
Yeah
cool
yeah,
my
name's
Chris
I
work
at
IBM
and
I
submitted
the
issue.
I
think
it'd
be
good,
a
good
feature
to
have
I,
don't
think
it
deserves,
maybe
a
full-on
extra
check,
but
that
could
be
something
that
could
be
added
to
like
an
existing
check.
Just
to
give
it
a
little
bit
more,
you
know
a
little
bit
more
impact.
What
do
you
guys
think.
D
It's
just
basically
commits
directly
to
the
main
branch
that
aren't
attached
to
any
pull
requests.
D
E
Yeah,
so
my
my
yeah,
my
takeaway,
is
scorecard
I
think
is
trying
to
check
this
already
in
two
different
ways,
not
that
this
isn't.
This
would
be
useful
as
well,
but
one
would
be
it's
trying
to
check
the
current
Branch
protection
settings
and
two
is
it's
art?
It's
trying
to
check
the
code
review
like
the
code
review
checked
if,
if
L
commits
are
code
reviewed,
so
I
think
it.
You
know
this
is
a
very
good
like
a
very
good
metric
to
expose.
E
But
how
do
we
message
that
to
to
make
it
clear
to
hovers
running
scorecard
like
what
what
this
means
compared
to
all
compared
to
the
other
two
you
know
so
I
think
we
just
need
to
yeah,
maybe
integrate
it.
With
that
code,
review,
check
or
and
or
also
you
know,
make
the
documentation
and
the
UI
really
clear
kind
of
like
what
the
difference
is
and
and
so
forth.
D
Yeah
that
makes
sense
for
sure,
because
I
don't
think
it
would
deserve
like
a
separate
check,
because
there's
checks
that
are
extremely
similar,
like
just
exactly
how
you
said
so.
F
F
There
may
be
a
scenario
where
you
know
someone
changes,
Branch
protection
and
then
does
it
and
you
know,
changes
it
back
or
there's
I
think
also
setting
which
allows
administrators
to
override
it
and
so
and
that's
I
think
that's
what
my
understanding
will
just
want
to
confirm
that
the
idea
is
that
this
checks,
whether
you
know
such
a
such
a
thing,
such
a
commit,
actually
happened
versus
Branch
protection,
prevents
it
from
happening
right,
yeah,
pretty
much
yeah,
so
they're
sort
of
similar
in
the
sense
that
you
know
if,
if
you
have
already
not
set
up
Branch
protection-
and
you
know
this
is
also
the
case-
then
you
know-
then
it
sort
of
just
goes
to
show
that
you
should
set
up
Branch
protection
and
if
you
have
set
up
Branch
protection
and
then
this
happens,
then
maybe
you
know
someone
either
disabled
it
or
maybe
an
admin
pushed
it.
F
So
yeah
I,
just
want
to
sort
of
you
know
think
aloud,
but
it
seems
like
I
agree
that
they're
related
I
have
also
like
I,
have
also
commented
there,
but
I've
seen
some
projects.
I
actually
have
a
detection
around
this
that
you
know
they
were
running
through
a
GitHub
action,
and
then
it
did
something
we
I
don't
know
created
an
issue.
Maybe
I
just
wanted
to
also
bring
that
up.
I'll
try
to
find
where
I
saw
this.
A
Yeah,
my
my
I
I
think
that
the
way
that
code
review
the
code
review
check
works
now
there
was
a
recent
change
that
I
think
may
like
it's
like
help
me
like.
We
we
could
like
piggyback
off
of
that,
which
is
we.
We
went
from
checking
like
individual
commits
to
like
grouping
commits
based
on
the
review
activity
that
they're
associated
with
so
like
everyone
on
GitHub
has
like
a
different
way
of
approaching
code
reviews.
A
But
and
in
fact
some
there
are
some
like
repositories
on
GitHub
that
have
are
just
like
mirrored
or
something
from
like
somewhere
else,
or
have
like
an
automate
like
some
kind
of
like
automated
process.
That
gets
commits
from
like
an
internal
CM
that,
like
a
company
uses
and
then
like,
pushes
them
to
GitHub
with
like
a
like
a
bot
or
something.
So
there
are
like
there's
like
a
lot
of
different
behaviors
that
that
are
are
like
possible.
A
But
what
what
scorecard
does
is
like
it'll
check
for
there's
like
a
a
concert
called
a
change
set,
which
is
like
basically
checking
if
there's
like
an
Associated
pull
request
or
equivalent
constructs
and
like
other
stms
like
like
fabricator,
if
there's
like
an
Associated
differential
revision,
it'll
kind
of
like
attempt
to
to
do
this
based
on
looking
at
commit
messages,
and
it
does
like
go
into
code
review
scoring
or
calculation
so
for
like,
for
example,
if
there
is
like
a
zombie
commit
today,
the
I
believe
the
way
that
scorecard
would
handle.
A
It
is
by
saying
that
that
commit
it's
not
like
it's
just
like
it.
It
doesn't
have
code
review
on
it
and
it
would
like
reduce
the
code
review
score
now.
It's
there's
like
again
like
a
lot
of
ways
to
fool
it,
because
there's
so
many
behaviors
that
people
do
with
GitHub
so
like.
If
you
tweak
the
commit
message
or
whatever
to
you
know,
make
it
look
like
it
came
from
fabricator,
which
some
people
legitimately
do
it
it.
A
So
I
was
wondering
like
if
that,
like
how
that
relates
in
in
your
mind,
to
this
future.
D
D
So
that
is
like
a
problem
that
I
noticed
when
I
after
I
posted
posted
the
issue
that
it
was
like.
You
know,
if
you
run
it
on
a
repository
like
something
that's
Merit
is
just
not
gonna.
It's
gonna
look
terrible,
but
yeah.
A
Yeah,
it
does
look
for
an
Associated
merge
request
or,
if,
if
it's
like,
if
it
detects
that
this
commit
may
have
come
from
a
different
source
code
management
system
like
fabricator
or
Garrett,
or
something
like
that,
it'll
also
look
for
like
differential
revisions
and
it's
and
it's
currently
for
anything,
that's
not
GitHub,
it's
very
permissive,
but
if
it
yeah,
but
it
right
now,
it
does
actually
check
if
there's
a
GitHub
Associated
like
merge,
request.
Okay,.
D
B
My
two
cents
on
that
is
like
especially
on
CL
on
repositories
that
have
just
automated
command
bushes.
Like
this.
Almost
all
comments
are
going
to
have
zombie
comets,
it's
the
anomalies
that
we
want
to
really
catch,
because
it's
already
there
in
our
in
our
code
review
check,
but
it's
down
in
depth,
like
it's
I,
think
it's
in
the
weeds
as
to
based
on
message
string
is
where
somebody
can
say
hey.
This
is
a
zombie
Comet
and
that's
why
we
bring
down
the
score.
B
One
of
the
things
Laurent
was
working
still,
there
is
working
on
as
the
is
the
raw
raw
data
when
which
we
still
don't
have
that
will
enable
people.
One
of
the
features
that
scorecard
is
still
work
in
progress
is
raw
data
without
score,
which
will
enable
people
to
Raw
data
and
they
can
decide
what
they
want
to
do.
That'll
be
a
great
feature
to
solve
this
particular
problem,
but
I'm
not
disagreeing
to
that
zombie
commits
are
bad,
but
it's
just
a
question
of
we're
already
doing
this.
D
Yeah
for
sure
yeah
I
haven't
got
in
depth
with
the
code
review
check,
but
I
should
definitely
take
a
look
at
it
and
just
see
if
it
could
fit
in
there
anywhere
or
if
it's
already
doing
it
yeah
it.
D
A
Okay,
cool
yeah,
thanks
for
raising
that
one.
So
if
there's
nothing
more
on
that
one,
should
we
go
to
the
last
issue
or
last
agenda
item
which
is
renovate.
C
Yeah,
so
this
should
be
pretty
quick.
It's
just
something:
I
ran
into
as
I
was
trying
to
merge
PR's
this
week
with
hitting
our
API
sorry.
C
Yeah,
sorry
for
background
renovate
supports
grouping
PRS
for
dependency
updates,
instead
of
depend
about
doing.
You
know,
like
Naveen,
said
10
to
12
PR's
that
every
time
we
merge
one,
we
have
to
rebase
or
merge
the
other
one.
So
you
get
sort
of
this
quadratic
hit
on
our
API
usage
and
it's
something
that
I
could
look
into
if
we
decide
that
we
want
to
do
this
again,
like
salsa
did.
B
Yes,
Arizona
wrote
this,
but
then
later
when
I
was
speaking
about
this
with
David
wheeler,
which
she
specifically
mentioned,
is
now
you're
bringing
everything
in
part
of
one
commit.
How
do
you
know,
or
he
asked
that
question
to
me,
how
do
you
trust
bringing
everything
in
together,
because
then
it
becomes
harder
to
cherry
pick
which
change?
What
and
thinking
about
this?
There
are
two
things
to
it.
One
is
we
can
get,
we
can
say
we
can.
B
We
have
to
tweak
our
depend
about
config,
to
say
maximum
five
PR's
open
right
now
we
have
about
four
DPR
program.
We
can
say:
hey
after
I,
merge
One
open
the
next
one
so
that
we
can
reduce
our
usage,
but
still
have
that
feature.
I'm
not
against
your
Navigator
is
a
great
tool,
but
just
that
bringing
all
the
changes
into
one
PR
becomes
risky.
It's
just
one
time
that
something
has
to
go
wrong
and
we
we
don't
want
to
be
in
the
news.
C
All
right,
yeah
I,
think
limiting
the
depend
upon
open
PR
as
adults.
B
Yep,
okay,
cool.
We
have
a
consensus
unless
somebody
else
thinks
of
something
else.
B
I
can
take
that
PR.
It's
pretty
simple
fix
I'll!
Do
that
and
I'll
clean
up
there's
a
bunch
of
PRS
that
are
pending
I'll,
clean
up
to
good
user
usage.
A
A
A
Okay,
cool
well,
that's
all
for
today,
then,
and
we
should
pick
a
facilitator
for
next:
okay
Nadine
you're
on
for
October
6th,
okay
cool!
Well,
thanks!
Everyone.