►
From YouTube: Scorecards Biweekly Sync (September 22, 2022)
B
Oh
yeah,
we
submitted
a
talk
proposal
to
that's
the
the
School
contact
proposal
that
got
accepted
I
wanna
I
don't
want
to
edit
that
link
on
that
specifically
Brian
from
Google
and
I
similar
talk
proposal
in
the
Linux
Foundation
member
Summit
and
it
got
accepted
it
just
won't.
Let
everybody
know
about
that.
That's
my
individual
update
on
that.
B
B
We
don't
have
weight
or
the
API
is
great,
because
now
we
are
able
to
get
all
the
information,
but
we
don't
have
way
to
fetch
any
of
the
historical
data.
The
historical
data
is
in
a
big
big
query.
We
have
about
35
million
records
in
that,
so
people
are
jumping
through
hoops
to
get
that,
so
my
proposal
is,
and
also
there
are
two
things
to
it.
One
is
historical
data.
Another
one
thing
is,
we
also
run
scans
every
week.
B
B
My
proposal
is
very
similar
to
depth.
Star
Dev
The
Depths
are
dev,
has
a
proposed,
has
an
option
called
scan
dates,
which
essentially
adds
all
the
scan
dates
and
then
essentially
people
consumers
can
use
credit.
That's
candidate.
Get
a
lot
of
scan
dates
then
use
those
scan
date
to
add,
as
ADD
as
an
additional
parameter
to
the
data.
That
is
there
that
they
can
fetch.
This
gives
an
option
to
two
things.
One
is:
it
gives
an
option
to
get
historical
data
which
is
in
the
bigquery
table.
B
We
also
store
ask
we
can
all
we
should
also
store
our
results
with
the
scan
date
so
essentially
like
how
we
store
with
the
command
Shah
and
the
last
one
that
I
want
to
talk
about
is
take
all
this
bigquery
data
dump
it
into
the
buckets
so
that
we
can
get
the
historical
data.
In
that
that's.
My
proposal.
C
D
A
B
It's
a
single
bucket
with
multiple
docs
like
multiple
folders.
We
take
every
scan,
we
store
it
with
the
connection
we
store
it
with
the
latest
and
we
also
store
with
Raw
results,
restore
and
multiple
paths.
The
same
the
same,
the
Rogers.
Those
are
different
from
that,
but
we
store
that
in
all
in
a
single
bucket.
C
B
B
And
I
also
check
does
buckets,
have
any
size
limitations,
the
buckets
doesn't
have
any
size
limitation.
The
buckets
have
only
size.
Animation
of
a
single
file
cannot
be
larger
than
five
terabyte.
That's
the
only
thing
but
Buck
itself,
essentially
infinitely
scalable.
So
so
we
don't,
we
I,
don't
think
we
are
going
to
hit
that
limit
pretty
soon.
B
B
We
have
to
maintain
common
shots
free
for
a
million
repositories,
oh
1.2
million
repositories
and
given
an
index
for
each
one.
What
are
the
temperature
as
we,
which
we
store
on
it's
a
great
thing
that
we
can
do
the
easier
option
is
to
say
every
time
I
run
a
historicals
when
I
every
time,
I
run
a
cranja
that
happens
once
a
week
I'm
going
to
keep
a
list
only
one
single
list,
which
is
all
the
dates
that
I
ran
the
Quran.
B
E
E
B
I
want
one
two
things
on
this:
I
want
people
to
tell
me
if
I'm
wrong
in
the
stop
process
and
technically
I
still
haven't
dived
like
I
just
gave
an
overview.
I
didn't
say
how
I'm
gonna
do
that,
like
which
kind
of
says
how
it
is.
But
those
are
my
thought
processes.
So
more
technical
I
want
to
say
why
this
will
add
value
and
do
people
see
it
as
a
not
a
good
Solution
on
this.
B
B
That's
one
file
where
I
need
to
manipulate
that.
That's
one
file
taking
the
existing
data
and
dumping
it
into
into
that's
a
that's
a
job.
That's
a
one-up
job
that
I
have
to
write
to
take
all
of
the
35
million
entries
and
write
that
into
bucket.
That's
that's
a
little
time
that
is
a
that
is
a
that,
may
be
a
little
more
than
a
little
more
work.
It's
not
a
single
file,
change.
B
Right
right,
I'm,
gonna,
I'm,
gonna
I'm,
also
gonna
hit
that
hit
up
Laurent
and
nazim
too,
because
okay
same
is
obviously
done
too
much.
Work
on
this
I
want
his
critique
and
say:
hey,
there's
a
problem
here:
I
want
that's
that's
the
reason.
I
brought
this
up.
I
will
tag
him
I'll,
take
them
up
in
slack
to
make
sure
I
get
a
buy-in
before
I
go
down
the
rabbit
hole
of
trying
to
implement.
This
sounds
good.
Okay,.
E
B
B
B
B
This
motivated
me
to
implement
that
API
that
right
now,
prior
to
that,
I
talked
about
how
to
go
fetch
the
data
that
we
have
it
in
a
bucket
some
of
the
work-
and
this
is
a
phenomenal
feature
that
for
people
folks
who
don't
know
this
helps
if
anybody
does
any,
for
example,
in
at
least
in
go.
This
was
implemented.
B
It'll
show,
if
you
add
a
new
dependency
or
update
an
existing
dependency,
and
what
is
the
the
scorecard
score
for
that
dependency
would
show
up
in
your
PR,
which
is
a
great
feature
to
say.
Okay,
if
I
have,
if
I
have
a
dependency
that
has
it's
not
being
maintained,
should
I
add
that
or
not.
This
is
an
avatar,
but
this
will
add
to
your
PR
it'll
comment
on
your
PR,
so
I
was
thinking
of
I
want
to
talk
about.
Where
is
it?
Where
is
what's
happening
on
this
feature?
B
And
there
are
about
three
or
four
PRS
that
are
open
and
pending
couple
here,
a
couple
in
the
actions
repo.
So
that's
why
I
want
to
talk
about
this
specifically
because
it's
almost
still
it's
roughly
about
three
months
old,
this
PRS
nothing
has
happened.
Code
is
beating
away,
I
want
to
make
sure
we
don't
lose
track
of
this,
and
this
will
again
add
a
lot
of
value
to
our
end,
consumers
to
say:
hey
if
I
add
a
new
dependencies
am
I
getting
these
all
of
their
Flying
Blind.
B
B
B
It
up
yep
so
and
I
also
wanted
to
know.
There's
a
there's.
A
big
thread
in
this
PR
I
want
to
make
sure
that
we
have
a
consensus
of
what
is
that
that
is
blocking
this
BR
from
merging
in
it's
easier,
sometimes
to
talk
rather
than
just
be
on
a
PR,
and
that's
why
I
brought
this
up
as
an
issue
over
here.
B
B
I
want
to
know
this
new
dependencies
score
for
the
examples
only
for
vulnerabilities
or
for
maintenance.
I
want
to
know
that
before
I
bring
this
in
now
it
could
be
that
or
any
of
the
transitive
dependencies,
because
that
is
the
biggest
problem
that
we
are
Flying
Blind.
With
this
feature,
it
will
add
tags
it'll,
add
comments
on
your
PR
to
say
Hey
you
are
violating
or
any
of
that,
and
then
you
can
mark
them
as
required,
and
now
you
have
better
kids
on
stopping
bad
dependencies
from
getting
into
your
code.
B
F
Okay,
so
you
know,
as
of
now
in
scorecard
for
a
couple
of
checks.
It
points
to
this
tool
and
what
I
want
to
talk
about
today,
some
improvements
here.
So
you
know
this
is
further
dependency
pinning
and
today
what
happens
is
that
you
know
users
get
redirected
here
and
they
can
fix
their
workflow
file.
So
let's
say
you
know,
I
paste
my
workflow
file
here
and
click
on
secure
workflow.
F
Then
it
you
know
basically
fixes
it
and
then
they
can
copy
it
and
use
it
and
the
you
know
this
is
good,
but
one
of
the
problems
here
is
that
they
have
to
do
this
for
multiple
workflows
or
multiple
files,
and
you
know
that
just
requires
some
repetitive
work.
So
the
the
update
that
I
wanted
to
talk
about
is
this
feature
where
you
can
actually
scan
a
whole
repo
and
then
you
know
create
a
pull
request.
F
And
you
click
on
analyze,
so
it
you
know
it
analyzes
the
workflows
in
that
Repository
and
it
basically
does
the
same
thing
as
the
previous
page,
but
it
allows
you
to
fix
across
workflow
files,
and
you
know
so.
Let's
say
if
I
want
to
again
pin
actions
and
I
choose
two
of
them.
Then
I
can
click
on
create
a
pull
request
and
what
what
happens
here
is
that
you
know
this
folks,
the
repository,
so
this
stuff
only
works
for
public
repositories,
and
you
know
it
doesn't
require
installing
any
app.
F
F
B
F
B
Why
don't
you
go
back
to
that
PR?
Can
you
go
back
to
that?
Pr
oud?
Can
you
can
you
click
on
the
conversation
I'm
gonna
I'm
gonna,
look
at
some
things:
scroll
down,
it'll
be
nice.
If
you
can
like
like
sign
your
com
comments
because
from
the
bot,
because
right
now,
I'm
more
I'm,
just
adding
it
as
a
feature.
More
and
more
things
are
looking
for
sign
comments
so
that
you
it's
for
two
things:
one
is
it
avoids
not
being
manually
signed?
B
B
B
F
Yep,
it's
basically
in
addition
to
you
know
that
initial
page
yeah
basically
use
the
same
apis,
but
instead
of
you
know
doing
one
file
at
a
time.
It
basically
calls
you
know
for
multiple
files,
yeah
and
you
know
in
terms
of
creating
a
pull
request.
So
it
only
allows
one
to
do
that
if
you
have
already
contributed
to
that
Repository.
F
So
you
know
it's
like
that
is
a
sort
of
check
built-in
so
forth.
It
only
works
for
public
repositories,
but
even
then
you
know
so,
let's
say
if
I
put
in
something
where
I've
never
contributed
before
it
will
not.
Let
me
create
a
pull
request
and
the
idea
is
to
just
you
know,
have
some
yeah.
Otherwise
people
might
just
go
and
create.
You
know
thousands
of
VR,
so
I
mean
I'm
open
to
feedback
on
that
as
well,
but
that's
a
check
in
it
right
now.
F
Now
some
of
the
other
things
you
know
that
are
coming
up
here
is
that
We've
also
recently
added
updating.
It
depend
about
config
file,
you
know,
and
that's
also
a
scorecard
check.
So
let's
say:
if
you
have
it
depend
about
file
and
that
does
not
update
some.
You
know
some
of
the
ecosystem
things
like.
F
Maybe
it's
not
updating
action,
then
that
will
also
show
up
you
know
in
the
near
future
and
similarly,
for
example,
if
you
have,
if
you
don't,
have
a
static
analysis
tool,
you
know,
so
those
are
some
things
that
will
it'll
start
showing
that
you
know
you
can
update
your
depend
about
file.
You
can
update
your
ad,
you
know
it's
a
code
ql
or,
and
that
that
you
know
I
think
we
have
to
figure
out
based
on
the
language.
F
B
F
Yeah,
you
know
how
in
depths.the
Dev
you
can
see
the
score,
but
but
you
have
to
see
for
individual
repositories
right.
So
so
you
have
to
go
and
but,
for
example,
let's
say
I
wanted
to
look
at
it
for
my
org
yeah
and
you
know,
I
want
to
increase
my
scorecard
score
for
the
whole
org
and
I
want
to
just
just
have
a
view
for
my
org.
Then
you
can
use
that
I
can
actually
I'm.
Have
this
open
here
for
just
like
a
test
org
you
see
if
I
can
bring
that
up
yeah.
F
F
Assume
it'll
actually
bring
you
to
that
same
page
that
we
saw
yeah
this
sort
of
page
so,
but
these
are
just
things
at
a
different
level
of
abstraction
right.
So
there
is
a
page
where
you
can
fix
a
workflow,
but
then
you
can
fix
multiple
workflows
in
a
repo,
and
this
one
is
just
at
a
next
level
where
you
can
see
at
an
org
level,
but
this
is
something
which
is
not
like:
it
has
to
be
set
up
for
an
org,
it's
not
it's
not
set
up
for
All,
Odds
and
I
was
hoping
to.
F
D
F
F
B
B
Them
if
the
historical
stuff
comes
in
it
opens
a
big
can
of
worms
like
people
are
gonna
use
that
to
do
a
lot
more
people
like
graph
a
lot
with
historical
data,
especially
if
it's
in
then
they
can
use
Python
fancy
packages
instead
of
jumping
through
hoops
to
get
that.
That's
my
thought,
process
cool,
very
nice.
F
B
If
you
use
the
API,
then
actually
you
would
be
able
to
can
you
is
that
is?
Is
this
hosted
in
your
in
your
like?
What
I'm
trying
to
ask
is
if
you
use
the
scorecard
API
public
API,
now
it's
only
two
API
or
not
two
like
there
are
scorecard
API
calls
and
GitHub
API
call
to
say
get
me
a
repositories
for
within
this
organization
and
all
of
a
sudden
you
mismatch
them.
You
got
this
page,
you
don't
need
to
run.
You
don't
need
to
keep
any
State
per
se.
You.
B
Actually,
this
will
be
a
great
project
to
host
within
openssf,
because
now
every
organization
can
go
get
the
score.
This
would
be
a
great
project
of
Hope.
Sorry
I
didn't
mean
to
take
away
what
you're
doing
Varun,
but
but
I'm
trying
to
think
for
a
little
higher
level
as
to
what
every
organization,
if
they
want
to
come,
and
do
this,
how
they
can
utilize
this
or
if
you
want,
if
you
want
to,
if
you
want
to
propose
this
as
a
solution
to
open
ssf,
do
a
that'll
be
able
to
be
great.
F
B
Do
you,
why
do
you
have
to
set
it
up?
Because
if
I
can
do
one,
let's
assume
I'm
picking
only
100
repositories
for
an
organization
from
GitHub?
Let's
assume
keeping
it
that
simple
the
use
case,
I,
don't
need
to
manually
set
up
I
go.
Do
one
get
up,
API
call
get
me
all
repositories
they
take
that
100
do
100
calls
to
scorecard
API
with
101
API
calls
I.
Have
this
page
I
don't
need
to
set
up
anything
on
the
fly
it
can
be
done.
B
Fundamentally,
the
more
open
you
are
because
that's
the
whole
idea,
that's
the
fundamental
reason
scorecard
is
pushing
data
open
for
everybody
to
consume
you're,
going
to
make
it
harder
by
making
it
harder.
It's
not
going
to
get
secure.
Might
as
well
tell
there's
a
problem
by
showing
people
what
the
problem
is.
That's
my
take.
F
F
D
D
Yeah
cool
yeah,
my
name's
Chris
I
work
at
IBM
and
I
submitted
the
issue.
I
think
it'd
be
good,
a
good
feature
to
have
I,
don't
think
it
deserves,
maybe
a
full-on
extra
check,
but
that
could
be
something
that
could
be
added
to
like
an
existing
check.
Just
to
give
it
a
little
bit
more,
you
know
a
little
bit
more
impact.
What
do
you
guys
think.
D
D
E
Yeah,
so
my
my
yeah,
my
takeaway,
is
scorecard
I
think
is
trying
to
check
this
already
in
two
different
ways,
not
that
this
isn't.
This
would
be
useful
as
well,
but
one
would
be
it's
trying
to
check
the
current
Branch
protection
settings
and
two
is
it's
art?
It's
trying
to
check
the
code
review
like
the
code
review
checked
if,
if
L
commits
are
code
reviewed,
so
I
think
it.
You
know
this
is
a
very
good
like
a
very
good
metric
to
expose.
E
But
how
do
we
message
that
to
to
make
it
clear
to
hovers
running
scorecard
like
what
what
this
means
compared
to
all
compared
to
the
other
two
you
know
so
I
think
we
just
need
to
yeah,
maybe
integrate
it.
With
that
code,
review,
check
or
and
or
also
you
know,
make
the
documentation
and
the
UI
really
clear
kind
of
like
what
the
difference
is
and
and
so
forth.
F
F
So
yeah
I,
just
want
to
sort
of
you
know
think
aloud,
but
it
seems
like
I
agree
that
they're
related
I
have
also
like
I,
have
also
commented
there,
but
I've
seen
some
projects.
I
actually
have
a
detection
around
this
that
you
know
they
were
running
through
a
GitHub
action,
and
then
it
did
something
we
I
don't
know
created
an
issue.
Maybe
I
just
wanted
to
also
bring
that
up.
I'll
try
to
find
where
I
saw
this.
A
Yeah,
my
my
I
I
think
that
the
way
that
code
review
the
code
review
check
works
now
there
was
a
recent
change
that
I
think
may
like
it's
like
help
me
like.
We
we
could
like
piggyback
off
of
that,
which
is
we.
We
went
from
checking
like
individual
commits
to
like
grouping
commits
based
on
the
review
activity
that
they're
associated
with
so
like
everyone
on
GitHub
has
like
a
different
way
of
approaching
code
reviews.
A
But
and
in
fact
some
there
are
some
like
repositories
on
GitHub
that
have
are
just
like
mirrored
or
something
from
like
somewhere
else,
or
have
like
an
automate
like
some
kind
of
like
automated
process.
That
gets
commits
from
like
an
internal
CM
that,
like
a
company
uses
and
then
like,
pushes
them
to
GitHub
with
like
a
like
a
bot
or
something.
So
there
are
like
there's
like
a
lot
of
different
behaviors
that
that
are
are
like
possible.
A
It
is
by
saying
that
that
commit
it's
not
like
it's
just
like
it.
It
doesn't
have
code
review
on
it
and
it
would
like
reduce
the
code
review
score
now.
It's
there's
like
again
like
a
lot
of
ways
to
fool
it,
because
there's
so
many
behaviors
that
people
do
with
GitHub
so
like.
If
you
tweak
the
commit
message
or
whatever
to
you
know,
make
it
look
like
it
came
from
fabricator,
which
some
people
legitimately
do
it
it.
D
D
A
Yeah,
it
does
look
for
an
Associated
merge
request
or,
if,
if
it's
like,
if
it
detects
that
this
commit
may
have
come
from
a
different
source
code
management
system
like
fabricator
or
Garrett,
or
something
like
that,
it'll
also
look
for
like
differential
revisions
and
it's
and
it's
currently
for
anything,
that's
not
GitHub,
it's
very
permissive,
but
if
it
yeah,
but
it
right
now,
it
does
actually
check
if
there's
a
GitHub
Associated
like
merge,
request.
Okay,.
D
B
My
two
cents
on
that
is
like
especially
on
CL
on
repositories
that
have
just
automated
command
bushes.
Like
this.
Almost
all
comments
are
going
to
have
zombie
comets,
it's
the
anomalies
that
we
want
to
really
catch,
because
it's
already
there
in
our
in
our
code
review
check,
but
it's
down
in
depth,
like
it's
I,
think
it's
in
the
weeds
as
to
based
on
message
string
is
where
somebody
can
say
hey.
This
is
a
zombie
Comet
and
that's
why
we
bring
down
the
score.
B
One
of
the
things
Laurent
was
working
still,
there
is
working
on
as
the
is
the
raw
raw
data
when
which
we
still
don't
have
that
will
enable
people.
One
of
the
features
that
scorecard
is
still
work
in
progress
is
raw
data
without
score,
which
will
enable
people
to
Raw
data
and
they
can
decide
what
they
want
to
do.
That'll
be
a
great
feature
to
solve
this
particular
problem,
but
I'm
not
disagreeing
to
that
zombie
commits
are
bad,
but
it's
just
a
question
of
we're
already
doing
this.
D
A
C
C
Yeah,
sorry
for
background
renovate
supports
grouping
PRS
for
dependency
updates,
instead
of
depend
about
doing.
You
know,
like
Naveen,
said
10
to
12
PR's
that
every
time
we
merge
one,
we
have
to
rebase
or
merge
the
other
one.
So
you
get
sort
of
this
quadratic
hit
on
our
API
usage
and
it's
something
that
I
could
look
into
if
we
decide
that
we
want
to
do
this
again,
like
salsa
did.
B
Yes,
Arizona
wrote
this,
but
then
later
when
I
was
speaking
about
this
with
David
wheeler,
which
she
specifically
mentioned,
is
now
you're
bringing
everything
in
part
of
one
commit.
How
do
you
know,
or
he
asked
that
question
to
me,
how
do
you
trust
bringing
everything
in
together,
because
then
it
becomes
harder
to
cherry
pick
which
change?
What
and
thinking
about
this?
There
are
two
things
to
it.
One
is
we
can
get,
we
can
say
we
can.
B
We
have
to
tweak
our
depend
about
config,
to
say
maximum
five
PR's
open
right
now
we
have
about
four
DPR
program.
We
can
say:
hey
after
I,
merge
One
open
the
next
one
so
that
we
can
reduce
our
usage,
but
still
have
that
feature.
I'm
not
against
your
Navigator
is
a
great
tool,
but
just
that
bringing
all
the
changes
into
one
PR
becomes
risky.
It's
just
one
time
that
something
has
to
go
wrong
and
we
we
don't
want
to
be
in
the
news.