►
From YouTube: Scorecards Biweekly Sync (November 17, 2022)
B
B
B
B
B
D
E
D
D
A
D
E
A
A
D
Welcome
and
thank
you
I
I
do
want
to
since
you're
here
a
quick
thank
you
to
sonotype,
who
did
some
really
really
interesting
analysis
this
year,
that
showing
you
know
the
the
utility
of
some
of
these
metrics
and
just
you
know,
and
their
their
predictive
power
for
at
least
known
vulnerabilities,
I,
just
I
thought
it
was
really
awesome
to
see
that
kind
of
analysis.
So
thank
you.
D
A
B
Okay,
yeah
so
I,
don't
see
a
bunch
of
project
or
individual
updates,
so
yeah
I
can
go
on
to
the
agenda
and,
like
yeah,
feel
free
to
add
things
over
the
duration
of
the
meeting.
If
anything
comes
up
but
yeah,
the
issue
that
I
wanted
to
talk
about
is
handling
code
review
for
automated
or
bot
generated
commits
on
a
project.
B
So
there
are
a
couple
of
issues
that
have
been
opened
around
like
how
how
we,
how
we
score
code
review
for
for
for,
commits
and
just
to
give
a
context.
The
code
review
check
today
looks
at
GitHub,
PR's
and
whether
it
could
have
for
for
any
any
commit
in
the
kind
of
like
default
branch
of
the
project.
D
B
Like
talked
a
little
bit
about
this
offline
and
there's
kind
of
like
a
proposal
that
want
to
like
get
people's
thoughts
on
today,
we
kind
of
look
at
the
last
last
30
commits
and
out
of
those
commits,
we'll
see
how
many,
how
many,
like
distinct
change
debts.
There
are
meaning
like
how
many,
how
many
of
those
commits
belong
to
like
some
reviewable
activity
like
a
PR
and
we'll
give
like
a
proportional
score.
B
So
if
A,
Change,
Is
reviewed
or
not,
we'll,
like
proportionally
yeah
like
give
like
seven
out
of
ten,
if
like
21
out
of
30
or
30
of
those
commits,
are
like
reviewed,
but
our
proposal
is
like
to
move
this
like
more
proportional.
So
if
there's
any
Presence
at
all
of
blood
commits
that
are
unreviewed,
we
would
just
like
subtract
a
flat
minus
three
and
if
there's
any
human
commits
that
are
unreviewed,
we
would
like
subtract
like
a
minus
seven
for
that
yeah.
D
B
F
F
Sorry,
I
I
wanted
to
give
a
little
bit
more
context,
because
I
think
that's
there's
an
issue
that
people
from
sonotype
actually
reported
at
the
Tahoe
meeting
and
I.
Think
that's
the
broader
context
for
this
problem,
which
is,
if
you
look
at
the
repository,
which
is,
let's
say,
is
a
single
maintainer
Repository
if,
if
scorecard,
only
catches,
full
requests
that
are
from
either
Bots
or
external
contributors,
all
of
those
are
going
to
be
reviewed
because
like
unless
you
have
enabled
Auto
merge
on
Dependable,
but
most
of
the
time
people
still
click.
F
An
external
contributors
also
are
always
going
to
have
an
implicit
review,
whether
it's
it's
an
lgtm,
explicit
or
like
it's
just
you
merge
and
you're
a
different
person,
so
that
kind
of
leads
to
false
positive,
because
all
the
single
maintainer
repositories
will
be
seen
as
having
code
reviews,
even
though
it's
not
exactly
true
and
I.
Think
that's
not
in
the
spirit
of
this
talk.
This
of
this
check.
This
check
is
like
more
like
I,
wouldn't
say:
Insider
attacks,
but
it's
more
like.
F
We
consider
them
less
risky,
maybe
and
we
don't
score
the
same
way,
even
if
they
are
like
reviewed
or
not
reviewed,
and
can
we
also
differentiate
humans
and,
ideally
between
humans.
We
would
differentiate
between
external
contributors
and
maintainers,
although
we
don't
think
that's
easily
possible
because
there's
no
GitHub
API.
So
unless
we
do
some
inference
where
we
look
at
who
merge
commits
and
then
we
say:
okay,
those
are
maintainers
and
then
we
query
again
GitHub
apis.
A
To
just
to
summarize,
like
the
the
thing
that
we
were
talking
about
in
Tahoe,
I
think
Brian
talked
to
you
was
that
there
is
a
user
who
came
to
us
and
was
like
hey.
Why
does
my?
Why
does
my
scorecard
score
keep
going
down
and
we
looked
at
it
and
we
saw
that
he
was
being
penalized
for
not
having
any
any
code
reviews
right.
A
He
was
just
merging
directly
to
Maine
and
occasionally
his
score
would
jump
up,
because
a
dependabot
would
make
a
PR
huge
review
and
his
score
never
should
go
up
because
he's
still
just
a
single
person
committing
directly
to
Maine
so
depend
about
shouldn't
buffer
his
score
in
the
way
that
it
had
been.
So
that
was
the
the
context.
F
And
I
think
something
else
and
Spencer
mentioned
is
that
when
we
like
it's
basically
the
fact
that
it's
going
up
and
down
and
the
there's
like
this
instability
of
the
check
and
we
we
don't
know
if
we
can
really
tackle
this
all
in
one
go
unless
we
look
at
more
pull
requests
or
like
a
longer
history
but
yeah
anyway,
yeah,
that's
you're,
absolutely
right.
Thanks
for
bringing
that
up,
I'll,
let
other
people
talk.
Sorry.
D
Yeah
so
I
have
a
potentially
different
view
that
doesn't
make
it
better,
just
potentially
different,
let's
because
I
think
I
think
this
is
actually
an
interesting
conversation
and
clearly
we
need
to
think
this
through
and
I'm
expecting
there'll
be
some
change
here,
because
I
think
you're
right.
It
does
seem
a
little
odd.
D
If
the
person
who
created
the
bot
is
also
the
reviewer
I,
think
that's
the
one
case
where
that's
a
little
more
dubious,
but
if
a
bot
creates
something
and
then
it's
reviewed
well,
presumably
the
bot
bot
thought
it
was
a
right
thing
to
do
based
on
its
code
and
then
the
human
reviewed
that
particular
change
and
also
thought
was
good
and
so
I
think
that
that
has
some
value.
What
worries
me
I'm,
actually
fine,
with
penalizing
different
verbots
versus
human
commits
proposals.
D
A
A
D
D
D
I
am
fine
with
saying
if
a
bot
or
another
human
creates
something,
that's
one
thing,
be
it
a
human
or
not
a
human.
That's
created
a
proposed
change,
and
now
you
have
a
second
person
reviewing
the
change
to
see
whether
or
not
it's
actually
the
right
thing.
So
you've
got
at
least
two
somethings.
You
know
somebody
originally
proposed
and
somebody
else
reviewed
it
that
doesn't
strike
me
as
crazy.
D
F
And
then,
if
we
have
a
single
person,
we
say
it's
very
highly
likely
that
it's
a
single
maintenance
repository
and
there's
no
code
review
like
can
we
differentiate
based
on
who
commits
like
I,
guess,
maybe
single
maintenance
we
can
actually
infer,
because
if
we
look
at
enough
commits,
we
know
that
it's
the
same
person
reviewing
or
the
same
person
merging
and
if
we
differentiate
that
we
make
sure
that
that
person
is
a
is
a
human.
We
know
that
it's
like.
Can
we
do
something
like
this
one.
D
E
There
some
kind
of
I
haven't
looked
at
exactly
how
it
gets
installed
with
All-Star,
but
a
configuration
file,
maybe
to
save
who
the
maintainers
are,
because
if
you
do
it
that
way,
new
maintainers
would
also
be
penalized,
and
it's
confusing
for
projects.
You
want
to
increase
their
score
to
be
able
to
do
that
on,
like
a
short-term
basis.
D
I
haven't
checked
but
can't
you
know
obviously
GitHub,
for
example,
knows
who
has
rights
to
make
right,
to
has
permission
to
write
directly
to
the
repo,
which
is
what
I
would
call
a
maintainer,
and
at
that
point
is
is
that's,
that's
something
that's
publicly
accessible,
isn't
who
has
permissions
to
write
to
the
repo?
No,
no.
D
A
D
Well,
that's
that's
what
that's
that's
two
of
them,
I
I
think
there's
actually
two
different
measurements:
are
they
getting
reviewed
and
how
many
maintainers
there
are
I
think
those
are
two
separate
points.
So,
let's,
let's
focus
on
the
on
the
code
review
so
for
the
code
review,
we
do
get
that
information
publicly.
D
You
know,
basically
somebody
else.
You
know
if
somebody
proposes
it,
somebody
else
has
to
then
merge
it
right.
You
can.
We
can
certainly
tell
that
publicly
I'm,
actually
fine
with
having
a
lower
penalty
for
a
bot
under
the
assumption
that
it's
you
know,
although
a
bot
could
create
malicious
changes,
it's
somewhat
less
likely.
F
D
F
D
I
think
there's
a
lower
risk
for
unintentional
error.
Bots
can
can
insert
proposed
malicious
code
just
as
well
as
a
human
can,
but
generally
you're
only
going
to
add
a
bot.
If
you
don't
think
it's
going
to
be
malicious
and
typically
Bots
are
only
implementing
things
that
are
so
mechanical
that
they're
unlikely
to
get
it
wrong.
D
B
A
This,
the
normal
approach
to
discussing
features
and
changes
for
the
scorecard
I
I
just
realized
like
I'm
brand
freaking,
new
and
I'm,
just
jumping
right
in
I
love,
I
love.
How
open
you
guys
are
the
conversation,
but
this
is
also
a
little
on
the
disorganized
side.
I'm
just
curious,
like
what's
the
normal
process
for
for
like
changes
and
features
and
and
this
this
type
of
conversation
I.
C
A
D
I
I
am
not,
however,
I
I'm
not
well
I'm,
not
one
of
the
maintainers.
On
the
other
hand,
I
work
for
the
Olympics
foundation
and
I
lead
the
best
practices
badge
project
and
the
two
projects
are
both.
You
know
trying
to
figure
out
how
all
projects
are
doing
things,
so
we
want
to
try
to
coordinate
things.
A
D
D
F
Yeah
and
also
in
particular,
we
don't
want
to
discourage
people
from
using
Auto
merge
independable,
because
you
know
that's
a
useful
feature
and
most
of
us
who
lgtm
depend
about
or
renovate
about
PR's.
We
actually
don't
even
really
review
them.
What
we
we
skim
through
them,
and
sometimes
maybe
probably
just
say
yes,
so
yeah.
D
D
A
D
E
I'm
not
really
clear
on
so
I
understand
that
you'd
want
to
not
have
a
bot
counted
as
a
contributor,
if
that's,
if
you're,
for
the
case,
where
someone's
committing
to
Maine
but
otherwise
I
see
bosses,
sometimes
there
were
sometimes
they
have
better
contributions
than
humans.
So
why?
What's
the
point
of
other
than
that?
One
Edge
case
of
someone
committing
to
Maine
and
not
having
any
other
contributors,
I.
A
Think
that's
I
think
that's
exactly
what
this
is
for
the
first
one
is:
what
do
we
do
when
commits
are
made
without
a
review
right
and
then
there's
the
discussion
of
like
okay?
Well,
if
it's
a
human
committing
without
review,
definitely
penalize
it
now
what
if
it's
a
bot
committing
without
review?
Oh.
D
Yeah
I
think
it
should
not
be
same
penalty
simply
because
typically
Bots
are
implemented
on
things
that
are
mechanical
and
they're
less
likely
to
be
wrong.
They
can
be
wrong,
so
I
think
a
penalty
is
appropriate,
but
a
lesser
penalty
is
also
seems
appropriate
again.
Lower
risk
not
no
risk,
therefore,
lower
penalty,
not
no
penalty.
F
Yeah
me
too
I'm
I'm,
leaning
towards
lower
risk
and
also
because,
if
you're,
a
single
maintainer,
maybe
some
maintainers
just
want
to
say
just
Auto,
merge
I,
don't
have
the
time
to
review
all
this,
and
if
they
do
this
and
we
say
you're
not
like
you
like,
we
don't
want
I,
don't
think
we
want
to
discourage
them
from
doing
this,
even
though,
if
they
are
a
single
maintainer,
they
will
not.
They
shouldn't
pass
code
review
so.
B
I
I
think
in
so
like
in
in
the
default
case.
We
would
like
start
everyone
off
at
10
and
kind
of
like
give
give
these
penalties
instead
of
being
proportional,
but
in
the
single
maintainer
case.
I
think
we
would
go.
We
would
we
all
like
scorecard,
also
has
like
this,
like
insufficient
data
result,
I
believe
so
we
would
like
to
say
something
like
that,
like
there's,
not
enough
data
to
make
a
to
give
a
score
or
not.
F
B
F
F
So
they
have
this
difference
between
yes,
but
that
said
now
that
they
have
a
granular
patch
token.
Maybe
that's
maybe
one
way
that
people
could
use
it,
but
but
but
still
on
the
other
hand,
if
you're
on
your
own
repository,
you
already
know
what
you
do
right.
So
I
think
that
data
is
more
useful
to
Consumers
than
it
is
from
for
maintainers.
So
so
maybe
that
wouldn't
actually
resolve
the
issue.
D
So
so
my
brain
is
limited.
I
can
only
really
handle
one
thing
at
a
time.
So
if,
if
code
is
just
getting
accepted
from
the
outside,
without
any
review,
I
I
like
that
I
guess
proposal
one
you
know.
If
you
know
human
can
it's
on
are
getting
viewed
by
somebody
else,
big
penalty.
If
bot
commits
are
being
accepted
without
review,
you
know
either
the
bot
is
just
editing
it
directly.
That's
a
smaller
penalty.
You
know
three
and
seven
seem
perfectly
reasonable
to
me.
B
Yeah
that
that's
that's
all
right
with
me,
I
I'm,
like
a
little,
you
know
like
every
time,
Like
A
change
is
made
to
scoring
we'll
like
get
some
like
level
of
feedback
on
whether
that
that
makes
sense
or
doesn't
make
sense
based
on
like
people's
workflows.
So
like
I'm,
okay
with
like
maybe
we
should
like
do
proposal
one
and
like
yeah.
C
Just
one
thing
that
I,
like
that
Scott
has
been
doing
in
some
of
his
changes
with
security
policy
and
license
checks
is
that
he
had
a
list
of
say,
400
projects
and
was
able
to
test
I
guess
his
scoring
change
that
he
was
proposing
and
get
an
idea
of
how
on
these
400
projects
it
would
affect
scores
before
the
change
was
made.
So
preemptively
get
some
sort
of
quantitative
data
without
waiting
for
people
to
come
to
us
saying.
Why
did
my
score
go
down.
C
E
D
B
C
B
D
F
D
F
B
D
E
F
So
for
proposal
number
one
will
it
would
it
be
also
good
to
try
to
get
some
statistics
on
Harmony
out
of
the
30
comments
that
we
get?
How
many
are
from
typically
from
a
bot
and
not
a
bot
or
at
least
have
a
distribution
for
single
maintainers?
Because
then
we
could
tell
what's
like
the
minimum
number
of
commits
that
we
should
be
looking
at.
F
F
But
that
will
happen
anyway
right.
If,
if
let's
say,
for
example,
you
have
one
direct
commit
to
the
main
branch
from
a
human
yeah,
and
then
you
have
six
from
depend
about
that
are
not
reviewed
that
are
reviewed,
then
you're
gonna
get
a
certain
score,
and
if
the
other
time
you
have
One
external
contributor
has
a
commit,
that
is
a
PR
that
is
reviewed
as
a
human
and
then
the
same
as
Dependable.
Then
it's
gonna
go
up
and
down
it.
D
F
B
Thanks
yeah,
particularly
in
case
so,
if
you're,
if
you
don't
squash
your
PRS,
then
they
kind
of
like
a
PR
with
like
a
bunch
of
changes
like
a
lot
of
back
and
forth
will
appear
as
like
30
commits
or
whatever,
and
it
could
or
like
50
commits,
and
we
might
not
even
get
all
of
them.
So
might
only
have
like
one
PR
to
look
at
over
the
history
of
the
like.
Okay,.
D
A
A
B
A
Okay,
because
it
seems
like
checking,
pull
requests
to
make
sure
it's
like
hey.
If
this
is
a
dependent
bot,
bull
request,
we
just
ignore
it.
We
we
don't
we're
not
going
to
score
you
based
on
your
dependent,
but
like
you're,
not
going
to
be
scored
well,
based
on
your
dependent
bot
merges
in.
Let
me
look
at
all
the
other
pull
requests
and
if
it's
a
single,
if
it's
like
self-reviewed,
then
that
would
accomplish
everything
is
like
hey.
C
B
D
C
C
D
C
D
B
F
F
I
think
maybe
there's
four
requests
but-
and
maybe
that
would
allow
us
to
be
more
precise
on
on
GitHub
for
GitHub
reviews,
where
we
say
we
know
you
are
doing
reviews,
because
the
branch
protection
settings
says
so
and
I
know
it
can
be
changed
but
like
like
it
depends
if
we
say
that
con
like
maintainers
are
adversarial
or
they're.
Just
you
know
doing
they
are
not
trying
to
game
the
system
or
not
because
like
if
they
just
don't
change
it
all
the
time.
B
B
30
seconds
before
running
scorecard
and
scorecard
would
give
you
like
full
points,
whereas
code
review
is
like
a
historical
thing
of
all
the
commits
in
a
in
a
project
and
then,
like
the
other
part
of
what
you
said,
which
is
like,
can
we
look
at
like
other
review
platforms?
We
we
do
look
at
other
review
platforms,
but
we
apply
much
much
less
scrutiny
just
because
we
don't
have
like
all
the
code
to
handle.
What
would
like
what
would
like
an
approval.
B
C
F
Yeah
I
mean
I'm
trying
to
see
of
what
the
like
how
the
data
the
results
are
consumed.
So
if,
if
I'm
just
trying
to
understand
how
many,
how
my
dependencies
behave,
I
I
almost
feel
like
Branch
protection
is
kind
of
a
signal
that
is,
it
can
be
gamed,
but
it's
it.
It
gives
me
a
an
idea
of
who
is
doing
code
reviews
and
who
is
not,
and
then
there's
the
other
part
where
oh
I'm,
taking
the
view
of
there's
an
Insider
attacks
like
red
team
exercise
and
I
want
to
catch
it
through.
F
D
I
I
think
I
can
make
a
decent
case
for
what's
being
done
right
now.
You
know
the
branch
protection
is
a
signal
that
hey
we
have
an
intent
to
from
here
on.
Do
reviews
get
some
credit,
but
you
know
what
the
what's
oftentimes
the
best
way
to
figure
out
what's
likely
to
happen
in
the
future,
is
to
see
what's
been
happening
in
the
past.
F
C
D
Yes,
I
I
do
know
that
in
SQL
you
can
say
you
know
after
this
date
and
limit.
You
know
up
to
this
number.
You
know
you
can
have
limit
statements.
I
would
imagine
that
graphql
has
the
same.
That
said,
I,
don't
know
what
get
a
get
lab
does
it
wouldn't
I
mean
they
may
just
have
a
simple
paged
interface,
in
which
case
you
can
just
page
backwards
until
you
reach
a
date
or
a
you
know,
either
a
date
or
the
limit
number.
D
D
D
D
D
D
B
B
Do
something
different
like
they
put
the
like,
for
example,
fabricator
has
like
the
differential
Revision
in
the
commit
like
the
commit
message
itself,
so
it's
like
a
little
bit
easier
there
to
like
correlate,
but
with
GitHub
we
actually,
we
use
a
lot.
We
have
one
API
call
for
like
the
log
like
another
and
like
part
of
the
graphql,
is
like
to
get
the
associated
PR.
A
A
D
A
D
D
A
A
First,
first
task
find
out
if
this
actually
works.
So
yeah
drop
me
off
the
issue.
If,
if
you
find
it
otherwise
I'll
I'm
about
to
have
a
baby,
so
I
mean
this
could
be
all
move.
I
might
I,
might
just
not
do
it,
but
but
I'll
put
up
a
PR
with
a
subset
I'll.
Try
to
keep
it
small.
If,
if
we
can
improve
the
viability.