►
From YouTube: Scorecards Biweekly Sync (June 30, 2022)
A
B
Yeah,
oh
well,
oh
well!
How
are
you
doing.
A
I
am
yeah,
I'm
struggling
a
little
bit.
I
had
my
eyes
dilated
today.
For
some
you
know
just
some.
You
know
retinal
tests,
but
it's
a
little
hard
to
read.
D
A
A
All
right,
you
know
what
I'm
gonna
post
url
in
the
chat,
although
I
guess
I'll
have
to
do
that
in
a
moment
again,
as
people
join.
Won't,
I
yeah
all
right.
That's
the
chat
url
that
I
have.
A
A
A
F
A
A
I
mean
we're
not
going
to
record
every
single
thing
that
happens
in
the
notes.
That's
why
we
record
the
video,
but
it's
nice
to
be
able
to
go
back
and
figure
out
what
happened
when
yeah,
particularly
for
for
our
friends
in
in
you
know
the
pacom
or
eu,
where
there
is
no
perfect
time
zone.
F
Yeah,
I
know
we
usually
start
at
the
at
the
turn
at
I'm,
indeed
like
at
the
203
okay.
So
we
wait
for
three
minutes.
That's
been
the
usual,
carry
forth
again,
welcoming
everyone.
So
if
you're,
please,
if
you
know,
go
ahead
and
sign
up,
there's
a
google
doc,
that's
been
posted.
We
would
like
would
like
to
so
that
we
know
who
we
are
talking
to
would
be
easier,
so
that'll
be
good
and
we
have
shared
that
in
the
in
the
zoom
chat.
F
F
Okay,
it's
three
or
three,
so
I
think
we
have.
We
have.
We
have
kind
of
for
quran.
So,
let's
start
the
meeting:
okay,
hi,
I'm
naveen
shrinivasan,
I
one
of
the
contributors
maintainers
of
scorecard.
F
E
H
And
hi
I'm
ethan,
I'm
an
intern
at
google,
I'm
primarily
working
on
all-star
and
I'm
pleased
to
be
contributing
to
that
as
well.
B
Welcome:
hey
everyone.
This
is
aiden.
Actually,
I've
already
attended
this
meeting
like
for
two
two
times.
This
is
my
third
time,
I'm
also
an
intern
at
google.
Laura
laurent
is
my
manager,
I'm
working
at
the
school
card
project
yeah.
I
have
an
agenda
today,
like
the
dependency
data,
visualization
reaction,
I'm
gonna
try
to
introduce
this
one
later.
Yeah
perfect,
welcome.
F
G
Anyone
else
hi,
my
name-
is
raghev,
I'm
also
new
on
the
scorecard
team
that
works
on
scorecard
at
google
and.
D
F
Welcome,
I
think
we
pretty
much
covered
most
of
them,
and
this-
and
I
see
the
next
action
item
obviously
is-
I
think,
lauren
added
this
so
for
people,
I
think
for
people
wouldn't
know
we
presented
scorecard
and
all-star
in
the
oasis
of
it
last
week
I
think
last
week
right,
yeah
lauren
and
I
as
well
as
jeff
jeff,
I
think,
is
on
vacation
this
week.
All
three
of
us
presented
about
all
star
and
scorecard,
and
the
next
action
item
I
see
is
the
different
dependency
depth.
Visualization
aiden.
F
You
want
to
talk
about
that.
You
want
to
give
a
just
an
overview
before
I
order.
I
already
have
your
other
app
open,
but
you
can
just
give
us
give
the
team
the
overview
of
what
it
is.
It'll
be
helpful
for
us
to
understand
what
it
is.
B
B
So
this
feature
is
for
the
like:
the
the
action
and
the
port
request.
So
so
I've
already
shared
the
design
dock
and
the
figure
in
the
dock,
so
yeah
yeah.
I
think
we
can
switch
to
the
figure
the
figure
page.
It
should
be.
I
F
Okay,
so
for
people
who
aren't
aware
of
the
dependency,
you
view
github
as
an
action
which
provides
a
feature
of
dependency
review,
so
you
can
give
it
a
repository
with
the
present
present
present
version
along
with
the.
What
is
the?
What
does
it
need
to
compare
with
the
head?
F
It
gives
you
a
list
of
dependencies
that
have
removed
or
added
for
people
to
give
some
context
to
that,
and
this
is
essentially
plugging
into
that,
so
that
we
can,
we
can
figure
out
what
are
the
dependencies
that
have
changed
and
if
they're
new
things
that
have
come
so
then
we
can
go
to
the
bigquery
to
go
fetch
that
data
from
scorecard
to
give
some
information
for
anybody
who
wants
to
merge
anything
into
the
pull
request
by
including
a
new
dependency.
What
is
the
one
of
the
risk
in
including
that?
F
A
F
What
happens?
Let's
assume,
let's
ayden,
please
stop
me
and
all
right.
Why
don't
you
take
it
up?
Let
me.
B
Yeah
so
so
like,
in
my
view,
this
more
like
a
feature
like
in
the
scorecard
action:
okay,
like
yeah
in
a
pull
request.
Workflow
this
this
one
will
run
like
a
part
of
this
go
hard
action
and
checks.
The
you
know
the
dependency
changes
of
two
code
commits
as
a
part
of
the
scorecard
action
check.
F
J
Maybe
I
can
provide
a
little
bit
more
context
david.
Please
yeah,
I'm
not.
J
No,
no
definitely
so
today,
like
what
we
want
to
do
is
something
pretty
simple
is
when
you
have
a
pull
request
that
comes
in.
If
you,
if
you
add
some
dependencies,
I
don't
know,
maybe
you
add
a
new
goal
line
package
to
your
dependency
go.mod.
J
We
will
query
the
github
api.
You
know
to
get
the
list
of
dependencies
that
have
changed
and
then
we
will
run
scorecard
on
those
dependencies
and
provide
the
summary
in
the
pro
request.
J
As
a
comment
saying
here
are
the
aggregated
score
for
the
new
dependencies
that
you're
trying
to
add
to
your
project
and
if
you
want
to
know
more
click,
this
link
and
it
will
probably
take
p
users
to
the
devs.website
where
they
can
visualize.
A
J
Yeah,
it's
it's
trying
to
raise.
Awareness
of
you
know
you
import
dependencies
like
what
are
the
status
of
those
dependencies.
I
think
navin
at
the
open
source
summit
had
like
some
great.
You
know
demo
about
how
you
can
do
it
by
implementing
you
know
using
bigquery
data
and
all
that,
but
it's
not
automated,
so
we'd
like
to
make
it
easier
for
users
who
use
the
github
action.
The
scorecard
action
to
you
know
to
learn
a
little
bit
more
about
their
their
dependencies.
B
Okay
yeah,
thank
you
all
around
for
explaining
this
and
I
I
actually
have
a
quick
demo
on
the
like
the
version.
Zero
of
my
feature
so
mayor
share
my
screen,
and
you
know,
did
this
later.
F
Sure
I
have
a
few
questions,
but
we'll
we'll
talk
about
that
after
your
demo,
yeah
I'm
gonna
stop
my
share
right
now.
Please
go
ahead
and
you
should
be
able
to
share
it
right
now.
Yeah
thanks
debbie.
B
So
yeah
this
is
my
so
this
is
my
test:
rib
hole
for
the
workflow.
I've
already
configured
the
workload
file
here,
so
this
is
basically
a
listener.
So
once
there
is
a
new
pull
request,
sorry
to
this
ripple
where
there's
a
new
code
commit
to
it
to
a
existing
pull
request.
B
It
will
execute
my
action
and
analyze
the
dependency
changes
like
in
the
current
current
branch,
the
min
branch
and
the
like
the
head
commit.
So
let's
modify
some
dependencies
in
this
file.
So
this
is
the
current
like
the
the
manifest
file
for
go
in
my
membranes,
and
let
me
replace
these
packages
to
like
to
do
another
version,
and
I
submitted
a
pull
request
for
this.
Like
patent
patch
six.
B
Yeah
and
then
the
like,
the
pull
request
would
trigger
the
workflow
here
yeah,
so
this
could
like
run
for
like
like
30
seconds
or
so.
Actually
I
got
a
previous
result
here
should
be,
should
be
this
one,
so
it
will
like
analyze
the
dependency
changes
in
the
like
between
this,
this
one
and
the
membrane
and
visualize.
B
B
B
Since
you
know,
this
is
just
for
a
demo,
so
I'm
basically
giving
every
dependency
a
vulnerable
vulnerable
attack,
we're
still
like
figuring
out
like
which
url
this
vulnerable
attack
should
lead
to,
or
currently
is
the
like,
those
source
code
ripple
of
the
package,
or
it
could
be
like
the
like.
The
package
version
page
from
the
dabs.dev.
B
Yeah,
so
whatever
it
is
just
this
is
just
like
the
quick
demo
for
the
version,
zero
of
the
feature
yeah.
F
Quick
question
on
these
things
so
before,
like
I'm
gonna,
I'm
gonna
share
my
screen.
If
you
don't
mind,
can
we
talk
about
this
yeah.
G
F
So
so,
thanks
for
the
doc
and
and
the
picture
it
helped
out,
it
helped
understanding.
So
I
see
in
your
picture
specifically
it's
using
the
the
rest.
It's
going
to
obviously
provide
a
russian
point
so
that
you
can
go.
It
can
go
grey
that
right
now
you
is
your
gold
query,
the
scorecard
crown
or
the
or
the
open
source
insights
or
it's
combination
of
both.
B
F
Okay,
so
yeah,
okay,
so
essentially-
and
that
is
that
is
cool
because
that's
what
it
is,
the
what
I
am,
what
my
what
my
concern
is
like
scorecard
score
is
great.
Yes,
but
people
don't
like
score.
Sometimes
people
don't
like
score
sometimes
because
people
are
like
have
their
own
opinion
on
that.
F
Unless,
if
you
provide
the
score
and
then
they
can
click
on
a
link
and
expand
about
that
score,
yes,
because
because
yeah
and
does
it-
and
I
because
I'm
working
this
project
a
little
while
there's
a
discrepancy
between
the
real
scorecard
score
and
devshot
dev
dev
set
up,
does
not
update
what
gets
updated
and
in
scorecard
bigquery
table.
Then
there's
going
to
be
a
disconnect
the
when
I,
when
I
see
the
score,
let's
say
suppose
because
scorecard
does
not
have
the
the
back
end
does
not
have
a
ui
for
you
to
go.
F
Look
at
all
of
that,
there's
no
ui
for
the
bigquery
right
now.
So
that's
one
concern
that
I
have.
The
second
second
concern
is:
how
are
we
planning
to
version
these
apis?
Because
if
we
don't,
if
you
aren't
because
scorecard
as
we
add
more
information,
yeah
people
are
going
to
build
on
top
of
this,
it's
going
to
become
a
nightmare
when
we
have
when
we
break
things.
F
So
those
things
have
to
be
thought
through
before
building
an
api.
On
top
of
this
yeah,
of
course,
right
now,
I'm
going
to
let
that
other
stock.
B
Yeah,
actually,
the
like
the
like
the
right
part
of
the
figure,
the
gku
rest
api
part,
so
it
is
not
included
in
the
version
zero
like
for
version
zero.
Our
intention
is
to
you
know,
just
to
make
it
run
as
a
end-to-end
action
thing.
F
Yeah,
but
how
is
it
going
to
use
the
again,
my
ignorance,
sorry
if
it's
gonna,
it
still
has
to
hit
a
rest
end
point
for
it
to
go.
Get
that
like.
D
B
Yeah
like
for
the
vulnerability
part,
actually,
the
github
dependency
review
api
would
give
us
like
a
list
of
vulnerabilities.
Oh
yeah,
okay,
yes,
okay,
so
we.
J
J
B
Sorry,
like
we
don't
have
to
query
the
like
the
big
query,
open
source
in
size
like
for
vulnerabilities.
So,
as
you
see
I
put
like
one
two
three,
I
put
three
threat
intelligence
swords
into
the
you
know
the
vulnerability
box
like
cbe,
osb
and
gsfghsa,
which
is
the
github
security
advisory.
B
I
think
this
is
like
the
exact
vulnerability
source
that
the
github
is
using
yeah.
B
So
yeah
like
for
the
version
zero
we
don't
need
to.
I
don't
need
to
do
the
rest
api.
I
like
like
for
the
version
zero.
I
D
F
F
In
my
opinion,
the
one
on
the
right
is
the
real
thing
that
everybody's
looking
for
I
understand,
adding
vulnerable
information
is
great,
but
should
that
be
part
of
scorecards
actions
to
just
to
get
vulnerability
from
the
dependency
review,
api
and
dump
the
information?
Should
that
be
part
of
scorecard
action?
Is
that
scorecard's
responsibility.
J
J
We
don't
need
to
have
the
vulnerabilities.
I
think,
like
other
questions
you
ask
about
hey,
do
we
want
to
have
just
scores?
I
think
we're
just
using
aggregate
score
right
now,
because
we
don't
have
badges.
J
So
this
would
be
just
like
a
summary
and
then
we
provide
a
link
and
I
think
that's
what
the
future
should
be
like
the
first
iteration,
no
vulnerabilities,
perfect
and
then
once
we
have,
we
have
a
better
way
to
visualize.
We
can
update
in
the
next
iteration
like,
hopefully,
devs.there
will
have
better
visualization
and
we
can
still
use
them,
but
if
not,
maybe
we
have
the
scorecards
of
their
website
and
willing
willing
them
to
there.
F
Yeah,
I
am
I'm
sorry,
I'm
I'm
100
for
this,
I'm
just
making
sure
I'm
just
making
sure
that
we
don't
disappoint
our
customers
with
in
incorrect
incorrect
information,
especially
if
steps
are
device
out
of
sync
from
our
back
big
query.
We
don't
want
that
and
believe
me,
people
are
going
to
dd
ask
this
api
people
are
going
to
deed
out
this
api.
F
A
Ahead,
oh
okay.
As
I
said
I,
I
totally
understand
the
data
out
of
sync
problem.
Perhaps
one
solution,
and
I
certainly
agree
that
it
would
be
very,
very
good
as
soon
as
possible
to
be
able
to
drill
down
that
next
level,
because
that
mean
not
just
knowing
a
score.
You
want
to
know
why,
but
I
think
at
the
very
least,
it
would
be
good
to
have
a
date.
You
know
date,
the
date
time
of
when
that
score
was
created.
A
You
know
a
tool
tip
whatever,
but
that
might
make
it
so
that
if
there's
a
disagreement
because
depths
has
an
older
version,
you
know
if
they
show
date
and
you
show
date
because
oh
they're
from
dave
it'll
make
it
a
lot
more
obvious.
Why
there's
a
difference
if
there
is
one.
F
Also
on
that
note,
I
do
know
depths.
Are
there,
I
don't
remember
their
big
query
structure.
At
least
I
played
with
that.
I
don't
know
if
they
have
the
scorecard
data
if
they
have
the
scorecard
data
can
be
pulled
from
that,
so
that
we
can
show
a
ui
and
still
show
a
score.
The
score
might
be
a
couple
of
weeks
old,
but
it's
okay,
but
it
gives
us
a
ui
when
it
scorecard
team
does
not
build
a
ui
for
all
of
this
fancy
stuff
that
we
already
have
in
depth..
J
A
That's
I
mean
every
time
you
do
a
commit
you're
gonna
rerun
scorecards
on
everything
on
everything.
J
F
A
J
So
so
we
so,
I
think
v0
might
not
be
the
thing
that
we
actually
release,
but
we
have
to
get
through
that
first
to
actually
test
it,
and
this
seems
to
be
the
simplest.
But
if
you
think
that
it's
better
to
just
you
know,
skip
that
step,
maybe
we
could,
I
don't
know,
I
think
we're
open
for.
F
My
thing
is:
if
you
do,
if
you
build
the
right
side,
then
getting
the
left
side
is
super
easy,
because
then
everybody
what
you
when
we
build
the
right
side.
Sorry,
I
meant
the
right
side
for
people
who
don't
who
aren't
as
purely
on
the
on
the
resting
point.
If
we
build
a
resting
point,
the
the
dependency
and
everything
that
then
we
can,
we
expose
bigquery,
which
is
great.
J
Yeah,
the
devs.dev
team
is
working
on
a
public
api
rest
api,
so
also
we
don't
want
to
duplicate
their
work.
I
guess
that's.
M
F
I
guess
okay,
so
so
again
again,
my
ignorance
of
I
don't
know
what
is
happening
on
depths.
Are
there
so
do
do?
We
have
to
rely
only
on
rely
on
depths?
Are
there
for
scorecards
everything?
Probably
that
makes
sense,
but
but
do
we
have
some
kind
of
an
timeline
as
to
when
they
are
likely
to
come
out,
say
probably,
if
summer
fall.
J
No
just
second
quarter
of
the
year,
so
relying
on
them
is
not
so
because
there's
also
like,
like
you,
said,
there's
two
data
set
right:
there,
there's
the
the
scorecard
big
big
variable
that
we
can
use
for
the
results
and
then
the
debs.dev
is
more
like
for
transitive
dependency
information.
J
J
F
For
v0,
basically
also
stepping
back
with
the
other
thing
that
we're
doing
in
the
action
wherein
with
the
badgers
work.
All
of
this
is
going
to
come
to
the
big
query.
I,
unless
depth
of
dev
queries
from
scorecards
bigquery
table,
then
we
are
fine,
but
if
they're
going
to
maintain
a
different
data
set,
then
that
becomes
a
problem.
J
So
maybe
to
also
make
it
simpler
for
like
when
I
say
v0,
I
don't
mean
that
this
is
going
to
be
what
we
released.
Maybe
we
released
v1,
but
maybe
for
v0.
Is
we
don't
update
the
score
on
every
pull
request,
because
we
can
check
whether
we
already
check
the
results
or
maybe
we
yeah.
So
maybe
that
would
be
a
compromise
that
we
could.
A
Yeah,
just
because
yeah
do
be
clear,
I
don't
have
any
problem
with
the
v0
having
partial
sum
functionality.
I
mean
that's
kind
of
what
a
early
release
is,
but
I
I
just
we
just
have
to
be
careful
not
to
get
that
used
widely
or
you're
going
to
peg.
All
sorts
of
things
yep
so
but
the
destination
is,
is
loading
in
from
place?
Is
awesome?
F
So
again,
I'm
just
asking
questions.
What
is
that
that
is
stopping
from
you
building
the
right
side?
I
already
spoke
about
this
to
the
other
brian
who
works
in
google
for
the
product
team.
I
suppose
I
was
speaking
to
him
about
there's
a
very
specific
thing
that
we
don't
is
that
a
blocker
for
moving
towards
the
right,
endpoint
right
side,
building
the
resting
point.
J
So
I
think
it's
not
necessarily
a
blocker,
but
it's
more
like,
because
alien
is
just
interning
in
turning
for
like
two
and
a
half
months.
Yes,
you
know
it's
pretty
hard
to
like
finish
up.
F
For
aidan's
project
as
to
something
he
can
wrap
it
up
and
if
I'm
not
trying
to
understand
okay,
yes,
yeah,
but
but
somebody
else
can
also
keep
progressing
on
this
as
a
feature
right,
just
making
sure
yes,
yeah
yeah,
definitely
yeah.
I
think
I
think
if
we
can
build
v0
on
that
mode,
to
v1
to
be
perfect,
yep.
F
B
Yes,
sorry,
I
I
agree
so
like
I'm,
I'm
also
new
to
the
rest,
api
and
the
gku
stuff
like
if,
if
I'm
gonna
develop
like
a
robust
api
on
the
gk
as
a
like
as
a
real
public
service,
it
might
take
like
longer
maybe
longer
than
my
internship.
You
know
to
finish
so
so.
F
Especially,
we
one
need
some
slas
and
right
now
like
like
right
now
how
six
doors
going
through
defining
sls.
If
we
gonna
expose
this
people
are
gonna
expect
some
kind
of
not
not
having
rate
limited.
We
need
to
put,
in
some
rate,
limiting
some
all
the
things
that
we
express
an
endpoint.
J
So
how
about
for
v0
so
would
it
be?
Okay,
let's
say
we.
We
run
locally
real
time
scorecard,
but
we
we
always
check
when
the
previous
run
happened
and
we
do
at
most
one
run
per
day
per
pull
request.
Maybe
that's
probably
that
would
probably
be
good
enough.
F
J
Let's
say
you
have
a
pull
request,
we
run
scorecard.
The
results
are
shown
as
comments
like
aiden
and
and
then
in
the
next
commit
to
your
pull
request.
We
don't
run
it
again
and
we
wait
for
maybe
24
hours
before
we
run
it
again,
so
that
we
don't
run
it
all
the
time.
If,
if
that
is
a
bottleneck,
I
think
that's
a
concern
that
david
had
we're
going
to
be
running
and
running
and
maybe
hitting
rightly
meeting
on
some
other
systems.
B
Yeah,
sorry,
I
I
I
have
a
quick
question
on
this,
so
I
think
it's
quite
similar
to
the
what
the
code
curve
is
doing.
So,
basically,
when
I
like
submit
my
commit
to
a
pull
request
like
every
time,
the
like
the
code
curve
will
just
run
again
and
gives
me
and
give
me
like
yeah.
It
just
gives
me
a
new
result
of
the
code
coverage.
J
B
I
think
this
they
also
have
this.
You
know
the
api
limitation
issue.
F
Because
we
use
the
github
api,
that's
the
biggest
problem
between
media
people.
Like
an
example,
my
concern
is
like
like
what
david
had,
if
I,
if
I,
if
I
go,
bring
up
a
new
library
and
that
library
has
400
dependencies
translated
into
g's
now
you're
going
to
run
the
400
and
half
partially
it's
going
to
fail
we're
going
to
update
the
comments
saying
hey
these
things
have
failed.
Where
did
we
update
the
comment
to
the
pull
request?
The
photo
quest
could
have
been
closed.
F
Okay,
so
at
least
we
get
some
perspective
aiden.
Do
you
say
anything
else
that
you
want
to
talk
about
specifically
on
this.
B
Oh,
oh
actually,
so
I
put
the
question
in
the
doc
like
like
for
the
version
zero.
So
where
should
my
code
like
goes
to?
Should
so
maybe
the
scorecard
ripple
or
the
scorecard
action
ripple?
I
know
we
have
like.
We
have
like
different
opinions
on
on.
F
A
A
You
know
what
I
and
I
think
in
the
broad
scheme
of
whatever
makes
you
know,
whatever
is
easiest
for
everybody,
but
I
think
there
is
a
value
in
making
a
different
repo.
If
you
might
have
different
groups
or
even
more,
it
might
have
a
life
of
its
own.
You
know
my
experience
is
once
you
start
serving
information
to
something
else
that
might
be
more
general,
often
better.
You
know
it's
running
in
a
separate
environment.
It's
you
providing
data
that
might
be
useful
to
other
folks
starts
to
make
sense
as
its
own
thing.
B
A
A
Yeah
I
mean
you,
you
can
get
started,
is
you
know,
use
apache,
200
or
mit
licenses,
but
yeah?
But
you
know
I
don't,
there's
no
reason
to
stop
forward
progress,
but
if
we're
gonna
make
different
repos,
I
think
sooner
rather
than
later,
it'd
be
better
to
bring
it
into
under
openness.
You
know,
talk
to
the
working
group
make
sure
they're.
Okay,
I
presume
they're
okay,
bring
it
in
to
open
ssf.
Then
it's
all
part
of
it
and
nobody
has
any
weird
questions.
B
Yeah
so
yeah,
so
so
this
is
the
first
question
and
another
one
is
the
as
an
issue
I
found
for
the
github
dependency
review
api.
So
I
did
some
tests
on
this
api
and
I
found
it
only
like
the
currently.
It
only
uses
the
manifest
file
as
the
source.
I
F
They
are
working,
I'm
sure,
you're,
seeing
this
okay
for
people
who
don't
know
I'm
sending
the
context
right.
There's
a
get
up
recently
put
in
another
another
action
where
they
are
able
to
use
the
runtime
to
figure
out
the
dependencies
using
the
belt
information.
So
essentially,
it
looks
at
your
bell.
It's
almost
watches
the
apple
figures
out.
What
are
the
real
dependencies
and
figures
out?
What
are
the
real
dependencies
and
sends
that
information
to
the
server
so
that
github
can
identify?
F
What
are
the
real
dependencies
and
make
someone
can
do
depend
upon
updates
to
all
of
that.
So
it's
still
not
in
my
opinion,
and
still
not
it's
still
not
very
stable
depending
on
that,
because
they
have
it
as
paid
out
they
don't
oh
or
probably
they
have
it
as
they
have
it
as
v1,
but
they're
still
working
on
those
things.
B
Yeah,
I
think
I
think
his
current
support
for
the
like
the
manifest
file
is
fine,
like
the
the
issue
is
like
we
know
for
like
for
different
ecosystems,
like,
for
example,
in
the
gold
mod
like
we
have
both
like
direct
dependencies
and
indirect
dependencies
in
a
gold
mod
file
yeah.
But
for
you
know,
ecosystem
like
the
pythons,
the
pypi,
so
it
doesn't
have
the
indirect
dependencies
in
the
manifest
file.
I
mean
it.
Has
the
you
know
the
indirect
dependencies
in
the
log
file,
but
not
in
the
manifest
file.
B
So
if
I
use
this
dependency
review
api
from
github,
you
know
as
the
data
source
for
the
version
zero
it
could
be.
It
could
give
me
like
different
results
for
different
ecosystems.
Like
for
for
a
goal
ripple,
I
could
have
all
of
the
information
about
the
both
the
direct
direct
dependencies
and
the
interactive
dependencies,
but
for
a
python
ripple.
I
only
have
the
you
know
the
info
information
for
direct
dependencies,
because
there
are
no
indirect
dependencies
in
the
python's
manifest
file.
F
Yeah
yeah,
I
totally.
I
totally
understand
that.
F
J
Yeah
they
already
have
the
data
set,
that
is
public.
Yes,
aiden
has
been
playing
with
it,
so
he's
able
to
like
give
a
set
of
dependencies
and
get
all
the
transitive
dependencies.
F
F
L
J
J
B
So
yeah,
if
we
took
if
we
take
a
look
at
the
document,
I
have
a
ripple
three
in
the
document,
so
yeah
there's
a
link.
So
this
is
a
my
like
my
local
web
server.
For
for
for
accessing
the
bigquery
data
set,
it's
the
it's.
The
agenda
are
it's
the.
B
Okay,
so
okay,
so
repository
yeah,
this
is
a
web
app
so
like
we
can,
just
you
know,
put
this
to
local
and
get
it
get
it
run,
and
there
is
a
interface
in
this
web
app
where
we
can
use.
You
know
the
dependency
name
and
version
to
query
all
of
these
indirect
dependencies,
but
yeah
still,
this
is
like
the
maybe
the
version,
one
or
version
two
thing:
it's
not
version
zero,
real
thing
right.
F
Even
my
concern
is
even
if
we
use
depth
of
depth
for
transfer
dependencies
and
the
the
github
api
for
the
definiti
differences
between
versions,
I
could
be
adding
a
dependency
could
be
bringing
in
14
of
the
transfer
dependencies,
which
steps
is
not
going
to
be
aware.
We're
going
to
be
giving
partial
information.
F
J
F
B
I
J
F
F
Good
and
aiden,
if
you
don't
mind,
I
can
because
this
is
I'm
going
to
put
all
my
concerns.
Yes
in
the
in
the
issue,
get
up
issue
because
it's
easier
for
the
whole
world
to
see
why
we
are
doing
what
we're
doing.
F
And
and
and
and
we
can
link
this
doc
in
the
getup
issue
so
that
we
know
what
we
are
talking
about.
F
Okay,
perfect,
I
will
I
will
go
that's
my
responsibility
after
this
meeting,
I'm
going
to
dump
all
my
thoughts
over
there
and
and
we
can
have
a
discussion
over
there-
also,
okay,
so
so
aydah.
If
you
don't
mind,
I'm
gonna
let
ethan
take
over
for
the
next
items.
F
H
Great
thanks,
yeah
sure
thanks
naveen
yeah,
sorry,
so
I've
just
thrown
in
a
ton
of
notes
here
but
yeah.
So
I
was
noticing
that
there
are
some
on
the
topic
of
all-star.
There
are
some
more
recent
issues
on
the
all-star
repo
about
mainly
some
people.
Who've
been
who've
had
repos
that
are
subject
to
all-stars
policies,
have
some
concerns
about
specific
ones,
so
the
first
one
that
I
pointed
out
here
in
this
list
was
all-star
spamming.
My
repo,
the
spamming
part,
is
not
the
most
important
part.
H
I
don't
think,
but
what
is
kind
of
interesting
is
that
it
is
pointed
out
here
that
some
binary
files
or
some,
I
think,
that's
in
this
issue-
yeah
exactly
some
binary
files
that
are
in
this
repo
can't
really
be
left
out
just
because
they're
provided
by
microsoft.
It
seems
like
so
these
are
like
closed
source
pre-compiled
binaries.
That
supposedly
just
can't
be
left
out.
H
I
think
that
in
some
cases
it
would
make
sense
to
create
exceptions
to
the
binary
artifacts
rule
in
order
to
allow
specific,
binary
artifacts
to
be
left
over.
What
I
was
wondering
was
for
one
question
in
this
area.
Was
I
don't
know,
are
there
any
good
ways
to
go
about
checking
the
integrity
of
binary
files
without
necessarily
or
yeah,
just
in
limited
circumstances
where
they
do
need
to
exist?
Is
there
like
a
good
way
to
go
about
that?
H
H
Then
that
would
mean
that
someone
at
the
org
level
would
have
to
at
least
review
the
hash
and
maybe
whoever's
providing
new
hash
could
submit
like
url,
where
it
could
be
downloaded
from,
and
then
the
person
at
the
org
level
could
be
like.
Oh
yeah,
okay,
that's
microsoft!
All
right
great.
H
H
Different
these
are,
these
are
executable
files
that
are
within
the
repo
yeah.
A
H
Of
course
yeah
thank
you
for
the
question
yeah,
so
this
is
kind
of
just
something
I've
been
thinking
about
lately.
I
think
that
it
might
be
a
good
idea
to
add
some
features
to
all-star.
That
would
make
it
just
easier
for
people
to
deal
with
and
adopt,
because
I
think
that
if
we
provide
like
more
opportunity
for
reasonable
exemptions,
then
people
are
going
to
be
generally
happier
with
it
and
more
likely
to
not
broadly
opt
out
of
policies.
H
Rather,
I'm
sure
people
would
be
more
willing
to
work
with
it
if
we
allow
them
to
carve
out
very
small
exemptions
to
the
policies,
so
one
pr
I
made
recently
on
all-star
was
one
that
allows
outside
cl
outside
collaborators
exemptions.
I
didn't
link
to
this,
but
here
I'll
add
it
to
the
thing
actually
or
it's
this
document.
H
H
Right
here
so
yeah,
basically
at
the
org
level,
outside
collaborators
could
be
approved
so
like
if,
if
someone
under
a
company's
organization
on
github
wanted
to
invite
someone
else
to
be,
have
push
or
admin
access
on
the
repo,
then
that
could
be
approved
by
someone
managing
the
all-star
repo
for
that
organization
yeah.
So
that
was
one
feature
on
that
topic,
but
yeah
someone
else
proposed.
There
was
another
issue
about
it.
H
H
F
If
we
go
again
my
two
cents
on
this,
if
we
can
replicate
what
the
dependent
part
has
all
these
configurations
so
because
beyond
the
github
ecosystem,
if
we
and
if
you're,
going
with
the
same
ammo,
if
we
go
with
go
with
the
same
templating
it'd
be
great
because
then
people
are
like
I
can
copy
paste
from
here
to
here.
I
can
have
the
same
thing:
people
love
it.
I
love
it.
So
that's.
N
One
recommendation
on
that:
okay,
thanks,
I
think
that's
yeah,
sorry
and
people
and
people
call
days
because.
D
F
H
Tradition,
in
my
opinion,
that's
that
sounds
great
okay,
yeah
I'll.
Keep
that
in
mind
yeah.
This
is
just
like
something
I
spewed
out
really
quick,
so
yeah.
That
sounds.
That
sounds
good
thanks
for
the
suggestion
and
yeah.
Those
are
the
main
things
I
wanted
to
cover
yeah
just
about
increasing
all-star
adoption.
F
J
D
H
Mm-Hmm
yeah
exactly
I
mean,
of
course
one
alternative
would
be
doing
it
on
the
repo
level,
but
then
I
don't
know
the
the
question
is:
would
this
stuff
all
get
overlooked
like
or
would
the
hashes
really
get
checked
at
the
repo
level?
So
I
think
the
url
idea
is
kind
of
interesting,
because
that
would
make
it
really
easy
to
configure
and
as
long
as
we're
I
mean,
of
course,
we're
we're
running
all
star
on
a
trusted
server
with
a
trusted
network
connection.
H
So
hopefully,
if
we're
requesting
it
from
microsoft,
we're
like
it
should
be
fine.
Maybe
we
can
require
that
be
an
https
url.
If
we're
doing
that,
verification
from
our
server
could
be
reasonable,
but
also
one
other
idea
was
like
we
could
do
like
code
signing.
We
could
just
check
to
make
sure
that
the
executable
is
signed
by
microsoft.
Maybe
add
like
a
signature
option
or
some
kind
of
like
option
related
to
that
in
the
configuration
for
binary,
artifacts
exemptions,
but
yeah
the
url
idea
seems
really
nice.
J
A
If
you're
going
to
do
the
url,
you
may
as
well
just
say,
have
an
exemption
for
paths
and
do
path.
Matching
I
mean
lots
of
linters
say
I'm
going
to
skip
this
path.
It's
yeah
they'll,
not
like
it.
F
People
can
stick
in
a
malware
url
and
all
of
a
sudden
all-star
is
going
to
download
a
malware
url.
So
so,
as
long
as
as
long
as
you
take
caution
saying
in
this
hey,
please
we
are
like.
I
know
you're
going
to
put
run
this
in
a
sandbox,
but
I'm
just
trying
to
say
that's
one
thing
that
I
can
think
of
people
trying
to
do
that.
That
are
people
like
if
I
have
to
play
the
bad
guy.
If
I
have
to
play
the
bad
guy,
absolutely
I
will.
F
I
will
do
that
if
I
don't
like,
I
know
all
stars
running
within
google.
This
thing:
oh
yeah,
I'm
gonna
be
like
okay.
How
can
I?
How
can
I
run
this
so
that
I
can
run?
I
can
do
a
zero
day.
Try
to
do
something
over
there
run
my
cryptocurrency
mining,
I'm
gonna,
I'm
gonna.
Look
at
every
way
to
do
this,
so
so
as
long
as
just
ensure.
H
I
think
go.
H
Oh
okay,
I'm
just
gonna,
say
it's
we'll,
probably
not
be
parsing
the
file
and
anyway,
we'll
just
be
hashing.
It
like
it
should
be
pretty
straightforward
to
just
download
it
from
the
url
we'll
set
a
timeout,
we'll,
never
write
it
to
disk
at
all,
actually,
probably
just
while
calculating
the
hash.
So
I
don't
think
there's
much
room
for
any
kind
of
exploits
based
on
that,
of
course,
they'd
have
our
ip
of
the
server.
So
I
don't.
H
A
Yeah,
I
guess
the
real
issue
is:
what's
the
threat
model
of
things
like
scorecard,
I've
been
mainly
pitching
scorecard,
as
you
know,
trying
to
help
you
with
unintentional
vulnerabilities.
You
know
and
that
sort
of
thing
within
the
packages.
If
reviewing
this
as
a
way
to
counter
malicious
code,
I
mean
yes,
that's
a
totally
valid
thing
to
be
worried
about.
I
don't
know
how
far
I
mean
scorecard's
gonna
get
there
I
mean
most
of
the
other
ones
are
not
going
to
counter
that.
So
I
guess
maybe
we
should
be
explicit
one
way
or
the
other.
A
J
M
H
H
The
very
most
if
we
did
well
if
we
had
like
if
we
were
doing
like
verification
of
the
code
signing
using
a
public
key
or
something
we
would
have
to,
I
guess
slightly
parse
out
the
data
that
we're
receiving.
But
it
should
be
fine,
probably.
F
H
Fair
enough
yeah.
Definitely
I
think
so
that
the
hash
method
would
work
for
like
files
that
don't
change
a
lot
or
don't
get
updated.
I
guess
allowing
maybe
exemptions
on
a
per
file
basis.
Would
I
think
we
already
do
that,
though
we
do
do
exemptions
on
a
per
file
basis.
So
that's
so
it's
kind
of
perfect.
H
A
I
I
like
no
work
issues.
H
For
sure
all
right,
well,
that's
mainly
what
I
want
to
cover,
I'm
not
sure
exactly
what
this
last
issue
I
listed
is
but
oh
ping
duration
should
be
configurable.
Okay,
well,
yeah
there
you
go,
could
be
nice,
it
kind
of
pairs
with
the
weekend
thing.
So,
although
that
doesn't
that's
not
exactly
straightforward
to
do,
but
it
might
be
do
well.
H
Actually
I
don't
know,
I
guess
we
just
run
the
all-star
checks
like
on
a
somewhat
frequent
basis,
so
actually
it
could
be
partly
configurable,
probably
because
I
think
it's
got
like
a
default
amount
of
time.
It
waits
between
replying
to
issues
that
it
creates.
So
that
would
work
anyway.
Yeah.
That's
that's
pretty
much.
What
I
want
to
cover
about
all
star.
F
Perfect,
we
are
almost
close
to
the
r
thanks
ethan.
Is
there
anything
else
that
anybody
else
wants
to
cover.
F
Okay,
perfect,
so
we
usually
pick
thanks
everyone.
We
usually
pick
who's
gonna
who's
gonna
run
the
next
one,
which
is
sorry.
I
don't
know
what
the
next
day
it
is.
F
F
J
F
A
A
I
honestly
don't
know
how
long
it
takes
and
then
and
to
be
fair.
It
may
be
a
little
delayed
because
we
had
the
open
source
summit
with
just,
I
think
it's
the
same.
People
suddenly
got
dumped
a
week's
worth
of
videos,
so
it
may
be
a
little
backlog,
but
but
the
the
intent
is
for
it
to
be
up
and
if
it
isn't
in
in
like
two
weeks
you
know
well,
let
me
know
I
I
don't
actually
know
who
does
that,
but
I
guess
I
can
find
it.
F
Up
in
the
you
can
hit
up
in
the
open
slack
channel
people
are
rally.
You
should
be
able
to
explore
that
yeah.
Okay,.