►
From YouTube: Scorecards Biweekly Sync (July 14, 2022)
A
D
C
B
Awesome,
thank
you
so
much
that
technically
we're
all
supposed
to
been
doing
it,
but
I
I'm
sure
I
should
are
we
starting
our
meeting.
C
B
B
C
E
F
Yeah
we
have
a
lot
yeah.
Okay,
how
many
people
do
we
have
12.
E
E
Please
add
your
attendance
to
the
to
the
dark.
If
you
haven't
done
so,
I
think
three
four
people
haven't
you
can
do
that.
While
we
we
continue.
Is
there
anyone
new
today
who's
attending
the
meeting
for
the
first
time
and
want
to
say
hi.
E
I
guess
nobody
is
new,
so
that's
fine!
So
let
me
look
at
the
agenda,
so
we
have
a
lot
of
stuff.
I
guess,
let's
start
with
navin
talking
about
dco.
B
Yeah
yeah,
so
basically
the
open
ssf,
actually
in
there
in
the
charter,
it
says
that
we're
supposed
to
have
all
our
projects
doing
dcos
you're,
I
think
actually,
probably
a
lot
of
you
are
familiar
with
it.
But
this
is
the
signed
off
by
colon
name
and
email
at
the
end
of
commit
messages,
and
that
just
asserts
that,
yes,
this
commit
I'm
I'm
proposing
is
in
fact
something
I'm
legally
allowed
to
add,
and
this
was
a
this
was
a
it's
not
hard
to
do.
B
But
the
point
is
that
this
provides
some
added
legal
protections
in
case
a
project
gets
sued
and
that
sort
of
thing
so
there's
an
issue
there.
B
The
opens7
tends
to
add
a
little
thing
to
to
whine
about
prs
that
don't
actually
do
it,
and
so,
if
you
could,
when
you
do
commits
from
here
on
when
you
do
a
get
commit
use,
dash,
lowercase
s
or
if
you're,
just
typing
in
the
text,
add
signed
off
by
at
the
end
of
the
commit
text,
and
that
just
says
that,
yes,
I
am
legally
allowed
to
do
this
either.
B
I
wrote
it
or
I
brought
in
code
from
something
else
with
the
license
that
allows
me
to
do
this,
see
all
that
for
details,
questions.
B
B
The
the
point
is
we're
not
trying
to
make
force
people
out
of
legal
names.
I
know
there's
a
lot
of
sensitivities.
That's
not
the
point.
That
is
not
a
requirement.
In
fact,
if
you
look
at
the
pull
request
it
talks
about
that
you're
not
obligated
to
you
know.
The
email
just
has
to
just
has
to
be
something
that
works
to
contact
you,
and
the
name
has
to
be
something
that
is
people
use
to
identify
you.
It
doesn't
have
to
be
what's
on
your
passport
or
anything
like
that.
G
B
I'm
dancing
over
a
lot
of
complicated
issues,
but
we
can
get
into
that.
But
if
we're
going
to
really
delve
into
it,
we
probably
need
more
time
happy
to
do
that,
but
just
I
think
that
there's
a
longer
list,
so
if
we're
going
to
delve
in
then
I
would
recommend
we
come
back
to
this.
So
we
can
give
that
more
appropriate
time.
H
Don't
want
to
delve
into
the
that,
but
quick
on
the
for
the
projects.
Do
you
recommend
that
we
start
using
signed
off
by
if
we
haven't
already
just
just
that,
or
should
we
yeah
yeah
you're
we're.
B
You
know
what,
since
it's
coming
up
pretty
soon,
I'm
not
sure
that's
worth
trouble
because
then
you,
I
honestly,
don't
know
what
happens
if
both
the
org
and
the
repo
installs,
I
guess
there
is
a
way
to
find
out
but
how's
this.
What
I
would
suggest
is
just
start
doing
the
signed
off
buys
and
if
that's
a
problem
for
somebody
I
mean
literally
it's
one
line
of
text
and
get
will
automatically
add
it
for
you
and
when
we
do
this
at
the
github
level.
B
My
understanding
the
plan
is
to
turn
on
some
things,
so
it'll
be
automatically
in
the
web
interface
too.
So
we're
going
to
try
to
make
this.
I
think
it's.
E
B
Okay
yeah,
so
if
we
can
just
start
doing
that,
you
know
no
one
will
be
shot
if
you
didn't
do
it
in
the
past,
but
the
goal
is
to
let's,
let's
start
doing
this.
E
Cool
all
right,
so,
let's
move
on
to
navin's
feature
which
I
think
is
a
big
one.
Navin
yep.
C
Thank
you,
so
I
I
wrote
a
design
doc
and
made
a
small
demo.
Specifically,
I
shared
the
design
dog
with
the
google
group,
so
essentially,
people
have
signed
up
to
the
google
group
should
be
able
to
should.
I
should
be
able
to
read
this.
It's
shared
to
the
entire
google
group,
so
say
anybody
who
should
be
able
to
read
this
and
comment
on
this.
The
goal
of
this
is
to
essentially
make
the
bigquery
data
available
as
an
api.
C
I
just
get
api,
not
a
post
or
push
any
of
that
just
to
get
so
that
lots
of,
at
least
in
my
opinion,
people
can
use
this
so
essentially
to
do
stuff.
I've,
given
the
reasons
I'm
not
going
to
read
through
this
as
to
why
how
it
is,
but
just
want
to
escape
some
reasons
how
this
can
be
utilized
for
all
purposes,
to
essentially
make
life
for
people's
life
much
more
easier
and
before
diving
into
what
the
api
should
be.
I
came
up
with
some
of
the
critical
needs
of
hey.
C
The
api
should
be
version
because
we
don't
I'm
sure,
giving
an
example.
Scorecards
json
had
an
lds
so
up
until
this
march,
so
so
we
should
version
our
ips
so
that
if
and
when
we
break,
we
should
be
able
to
do
that.
Second
thing
is:
we
should
be
able
to
access
the
apis
without
any
tokens.
How
similar
to
what
osp
does
giving
example,
and
last
but
not
least,
another
critical
thing
is
we
want.
C
We
should
be
able
to
support
for
very
high
availability,
because
people
are
going
to
ddas
it
and
should
be
able
to
support
two
to
three
million
records,
so
the
simplest
solution
from
this
is
scorecard
crown
runs
weekly
scans
of
a
million
records.
We
take
that
I'm
just
going
going
over
high
level
overview.
We
take
that
score.
The
quran
has
an
option
to
export
these
workouts
to
a
gcs
bucket.
So
you
can
say
it's
a
it's
a.
C
I
gave
out
an
example
how
to
export
this.
This
is
the
example
of
how
to
export
something
exports
in
this.
In
this
example,
it
exported
about
3500
json
files,
and
I
wrote
code
to
take
that
and
dump
it
to
another
bucket,
which
happened
to
be
ossf
scorecard.
again,
this
is
not
official.
This
is
my
domain.
C
I
just
created
something
just
so
that
to
prove
the
point
and
it
it
I
was
able
to
dump
all
of
that
and
the
and
here's
the
bucket
size
and
what
it
is
right
now
I
was
able
to
dump
about
a
1.2
million
records
with
about
8.5,
8,
gb
and-
and
here
is
what
the
json
would
look
like,
and
this
is
just
the
big
ready
data.
There's
got
nothing
to
do
with
anything
else
on
this.
That's
what
it
is
on
this.
This
is
my
proposal.
C
Essentially
they
say
hey.
This
would
be
a
great
option
to
what
already
azim
and
team
are
building
on.
On
the
other
end,
plugging
this
in
with
respect
to
the
api
that
they're
building
on
for
plugging
this
data
in
if
the
scorecard
does
not
scorecard
action,
is
also
coming
up
with
giving
a
git
api
and
a
post
api.
But
if
people
aren't
running
this
cold
card
action,
we
should
still
be
able
to
utilize
this.
I'm
gonna
pause
right
now.
Let
people
ask
questions
if
they
have
any
questions.
E
C
Sorry,
okay,
so
now
this
is.
This:
is
my
code
running
on
a
on
a
on
a
on
a
compute
and
since
as
a
just
a
just
a
console
app?
So
this
has
to
be
this
has
to
go
into
our
cron.
Then
there
needs
to.
We
need
to
figure
out
whether
it
needs
to
be
a
pub
sub
how
to
run
this
concurrently.
This
took
about
36
hours
to
run
because
it
sequentially
ran
one
single
file
on
each
one
of
that
took
about
36
hours
to
run,
which
is
like
no.
A
Go
ahead,
I'm
just
curious.
What
would
get
request
look
like
so,
for
example,
like
let's
say
a
package
manager
wants
to
get
the
results
for
a
particular
package
and
the
versions
which
is
it
like.
You
can
specify
the
package
name
and
the
version.
Oh
right
now
sorry
go
ahead
or
is
it
like?
You
know,
based
on
the
report
repository.
C
C
Json
and
that's
what
it
is
so
so
it
it
does
not
have
the
package
name,
it
does
not
have
the
comment.
Shy
does
not
have
all
of
that,
but
for
get
go
we
just
have
if
it's
like,
whatever
the
fqdns
slash
version,
if
it's
right
now
it
supports
github
like
right
now
scorecard
does
only
get
out
tomorrow.
If
we
decide
to
go,
do
gitlab,
we
could
be
able
to
that's
the
naming
that
we're
thinking
of
right
now.
Did
I
answer
your
question
on
that
yeah.
B
C
J
Do
you
have
a
question
yeah?
I
know
this.
This
looks
awesome
right,
so
I
have
one
question.
So
the
the
all
this
crown
job
is
going
to
basically
run
every
given
period
and
it's
going
to
so
you
are
envisioning
that
it
will
override
the
existing
record
or
there
is
some
value
with
the
historical
record.
Okay
for
now.
C
J
C
Yes,
right
maybe
at
some
point,
but
maybe
absolutely
absolutely
absolutely
so
we
should
be
able
to
get
from
a
kamisha
and
I
already
did
speak
to
azima.
There's
azimus
a
lot
more
plans
on
this.
Sorry,
I'm
not
going
to
talk
foreign,
but
that's
that's
the
end
goal
but
agreed
absolutely.
Okay,
yep
thanks.
C
Please
happen
to
have
not
heard
it
from
anybody.
It's
a
bad
idea.
If
people
don't
consider
this
as
a
bad
idea,
we
want
to
move
forward
and
start
working
on
this.
That's
the
goal:
okay,
cool
lauren,
I'm
good!
Thank
you!
I'm
going
to
switch
back
to.
E
Cool
awesome.
Oh
I
have
a
last
question.
Do
you
have
like
some
sort
of
timeline
of
when
this
might
be
available.
C
Like
three
yeah
like
it
should
not
take
itching
that
I'm
gonna,
I'm
gonna
start
soon
working
on
this,
it
should
not
take
three
months
at
all.
It's
not!
I
will,
I
think
again,
I'm
probably
max
a
month,
but
still
all
these
things
have
to
be
figured
out
and
all
that,
but
I
don't
think
it's
a
three
month
phone.
Oh
no
way,
it's
not
that
much
cool.
E
All
right,
so
next
item
is
about
the
protobuf,
the
product
of
pre-submit
that
keep
failing.
I
am
not.
I
haven't
actually
looked
into
details,
so
I
mostly
have
questions.
Is
it
rate
limiting?
E
I
think
at
some
point
we
thought
it
was
and
it
might
still
be,
but
I
think
raghav
sent
a
pr
with
another
can
of
fix.
So
maybe
there
were
two
two
problems,
so
I'm
not
sure
I'm
just
asking
whether
anyone
has
any.
E
C
Raga's
fix
took
care
of
the
product
protoss
issue,
thanks
raghav
on
that,
so
we
don't
have
proto-c
failures.
I
was
looking
at
that
rate.
Limiting
is
causing
problems
thanks,
raghav
rate
limiting
is
causing
problems
and
because
I'm
sorry
I'm
gonna.
I
I
opened
a
couple
of
issues
on
this.
I'm
gonna,
I'm
gonna
unpack
what
I've
been
digging
in
this.
C
We
got
about
15,
dependable
prs
and
every
time
I
upload
something
and
it
gets
merged
in
everything
gets
rebased.
When
it
starts
rebasing,
we
got
about
20
different
actions
that
they
have
to
concurrently
run
their
ddosing
action
runs,
and
so
we're
hitting
rate
limiting
on
that.
So
that
is
the
specifics
on
right
now,
but
right
now
we
don't
have
withdraga's
fix.
We
don't
have
any
more
protoc
failures,
at
least.
C
A
couple
of
things
is:
we
are
constantly
running
for
everything,
there's
a
patch
filter
that
can
reduce
our
number
of.
We
can
look
on
my
work
with
use
this
pure
leaf
to
reduce.
If
it's
go
code
only
then
run
those
things.
If
it's
something
so
we
can
utilize
this
another.
One
thing
that
laurent
has
or
another
project
is
the
salsa
right
now
recently-
oh
my
god,
sorry
recently
moved
to
runaway,
which
gives
the
advantage
of
summing
up
all
of
this
into
one
single
pr.
C
C
I'm
I'm
proposing
that
we
move
to
renovate
so
that
it
produces
a
lot
of
manual
effort
if
people
want
to
see
their
like
so
many
pr's
on
defender
bot,
which
is
like
and
they're
constantly
failing,
because
they
are
they're
running
running
to
rate
limit,
I'm
gonna
pause
right
now.
Let
people
talk.
B
Well,
it
seems
like
the
real
problem
is
the
rate
limit.
I
I
I
haven't
had
any
trouble.
I
actually
like
having
separate
prs
for
different
things
to
update,
because
you
know
sometimes
one
thing
works
and
another
doesn't.
If
you
try
to
bundle
it
all
up,
you're,
just
increasing
the
likelihood
of
it
exploding,
but
I
do
understand
the
rate
limits
are.
E
We
can
have
more
more
pat
tokens,
I
think
ryan
knight's
using
mypot
tokens,
so
my
butt
token
is
just
being
rate
limited
all
the
time,
but
if
we
could
do
some
round
robin
with
like
bought
bot
accounts,
I
would
just
use
for
you
know
this
sort
of
automated
things.
Maybe
that
will
help.
B
You
know
what
I
mean.
We
actually
know
some
of
the
github
folks
we
might
be
able
to
just
get
a
higher
rate
limit,
especially
if
we
I
didn't
realize
it's
on
your
token,
can
we
can
we
maybe
use
a
different
one
specifically
for
scorecard
and
then
try
to
see
if
we
can
get
that
one
bumped
up.
C
We
do,
we
do
have
a
bot
account
like
stephen
openly
created
a
bot
account,
but
then
we've
been.
We
were
waiting
for
oasis
of
folks
to
go,
get
a
license
for
us
for
the
password
manager,
and
it
just
didn't
happen,
but
that'll
be
great.
If
we
can
use
a
bot
account
instead
of
us
using
our
personal
tokens.
B
Okay,
I
apologize.
I
wasn't
aware
that
you
were
waiting
for
anything
who,
who
are
you
waiting
on.
B
Yeah
would
you
I
would
call
up
jen
bonner.
She
probably
won't
be
able
to
do
it
directly,
but
hopefully
she'll
be
able
to
contact
someone
who
will
you
know
give
her
give
her
the
details.
You
know
we
try
to
make
sure
things
get
done,
but
things
do
get
dropped
and
we
apologize.
So
you
know,
let's
get
it
done.
I
B
Okay,
I
recognize
krob's
voice,
all
right
so
yeah
I
mean
you
know
if
there's
a
better
way
to
do
it.
That's
great,
but
just
you
know,
if
there's
something
we
can
do
that.
Actually
you
know
kill
problems,
I'm
all
for
it.
E
Back
to
the
renovate
so
we're
trying
to
use
it
on
the
salsa
repo,
as
navin
said
we
haven't,
I
haven't
had
the
the
time
yet
to
play
around
with
the
configuration,
but
navin
is
right
that
they
have
a
configuration
where
you
can
select
groupings.
I
don't
know
what
they
call
for
multiple
dependencies.
E
They
also
have
another
another
open
feature
which
is
related
to
that
where
you
can
batch
pull
requests
together,
and
I
feel
that
that
would
also
help
people
who
have
hash
pinning,
because
we
we
ask
people
to
do
hash
pinning,
but
the
reality
is
it's
really
really
tough
with
all
these
requests
that
come
in.
So
if
you
could
batch
pr
in
a
way
it
would
be
great
and
they
have
a
feature
there.
E
That
has
been
open
for
six
months,
and
I
was
thinking
that
if
we
could
fund
them
to
do
this,
it
would
actually
help
a
lot
of
you
know
a
lot
of
people,
including
us,
because
it's
yeah
it's
otherwise.
It's
it's
really
difficult.
E
B
J
E
And
I
think
also
something
that
would
be
really
useful
is
if
you
can
have
a
template
on
the
open.
Ssf
of
you
know
how
to
configure
it
and
like
a
good
default
configuration,
because
that
also
takes
time
and
they
have
docs,
but
they
didn't
pick
up
on
everything
that
we
wanted
to
do,
for
example,
even
though
they
have
some
heuristics
so
having.
E
B
Chain,
integrity,
to
be
honest,
but
yeah
best
practices
seems
plausible
and
krob's
right
here
is
and
he's
the
working
group
lead.
So.
B
E
Cool
any
other
question
on
the
on
pr
and,
like
I
think,
we're
done
for
this
protobuf
era.
So,
let's
move
on
to
contributor
ladder
definitions.
I
think
jeff
had
to
run
so
it's
probably
gonna
be
david
telling
us
about.
Oh,
maybe
brian.
D
Yeah,
so
I
I
I
made
an
agreement
that,
if
with
jeff
that,
if
he
couldn't
make
it,
I
I'd
do
my
best
to
to
channel
jeff
as
I
as
I
represent
this
topic.
D
So
I
can
walk
through.
Essentially
what
the
proposal
is
really
from
this
group.
We
would
like
to
know
if
people
have
any
suggestions.
Improvements
concerns
if
it
looks
good.
This
whole
contributor
ladder
is
based
on
the
idea
that
that
we
are
going
to
keep
scaling
up
our
community
of
people
that
are
contributing
to
projects
both
all-star
and
scorecard,
but
we're
starting
with
all-star.
D
Essentially,
your
ability
to
approve
and
give
write
access
goes
up
as
you
move
down
that
list,
when
you're,
just
a
member
you're,
essentially
getting
a
badge
on
your
github
profile,
saying
that
that
you're
a
contributor
to
allstar
and
you
can
become
a
member
if
you're,
actively
participating
in
in
any
sorts
of
discussions
or
you're
actively
contributing
to
the
project,
as
you
start
to
take
on
a
little
bit
more
responsibility-
and
you
know,
you've
basically
shown
that
you're
an
active
and
trusted
member
of
the
all-star
community,
moving
up
to
approver
for
people
that
are
interested
in.
D
That
would
allow
any
approver
to
accept
pull
requests
to
have
write
and
push
access
and
essentially
to
be,
you
know,
kind
of
one
one
level
below
a
maintainer
where
a
maintainer
is
somewhat
self-explanatory.
Full
access
ownership
can
make
final
decisions
on
any
large
proposals
and
features.
D
At
this
point,
you
know
we're
still
a
small
group
relatively
speaking.
This
is
just
us
getting
something
in
place,
so
that
is
people
come
along
and
and
would
like
to
contribute
and
are
asking
you
know:
how
can
they
go
about
kind
of
graduating
up
the
ladder
we
we
have
a
pre-prepared
template
to
go
off
of.
We
expect
that
it
could
change
over
time,
but
right
now
having
something
over.
Nothing
is
is
what
drove
us
to
put
out
this
draft,
and
basically,
if
people
have
concerns,
we
can
iterate
on
it.
D
We
can
have
that
discussion
here.
We
should
also
pack
that
with
comments
in
the
pull
request
itself,
if
you
have
points
to
make,
but
that
is
the
the
gist
of
the
proposal
that
that
we
want
to
get
an
initial
contributor
ladder
out
there
for
all-star
three
basic
levels:
I'll
open
up
the
floor
to
any
thoughts
comments
concerns
at
this
point.
C
I
love
it.
The
only
concern
is
that
one
business
day,
that's
my
only
caveat
to
somebody
becoming
somebody
having
that
one
business
day
is
my
only
caveat
that
I
see
as
somebody
you
putting
you
putting
somebody
into
a
fix.
C
So
if
not
that
this
is
really
good
heads
up
to
jeff
and
brian
for
putting
this
out,
we've
been
pushing.
D
This
yeah
I'll,
say
jeff
deserves
all
the
credit
on
this
one.
He
he
put
together
the
table
and
the
proposal.
It
just
happened.
He
couldn't
make
this
meeting
so
I
I
had
the
privilege
of
presenting
it.
I
think
naveen,
if
you
want
to
just
stick
that
in
a
in
a
comment
that
is
certainly
one
of
the
more
adjustable
pieces
you
know
of
of
this
contributor
ladder.
B
By
the
way,
this
is
for
the
latter
for
scorecards
itself
right.
B
C
Problem,
but
we
already
have
an
issue
going
on
this,
like
okay,
that's
thief
and
created
this.
This
is
going
on
would
be
great,
and
I
see
david.
You
made
some
comment
on
this
about
dco,
but
yeah,
but
this
would
be
great
if
somebody
can
take
it
from
foundation
perspective.
D
And
and
I'll
add
that
you
know
effectively
if
we
arrive
at
a
different
sort
of
contributor
ladder
open
ssf
wide,
we
would
adopt
that
if
this
is
also
a
good,
you
know
feeder
proposal
to
factor
into
that
discussion.
You
know
where
I
think.
Obviously
we
can
pull
that
into.
B
D
E
Do
we
have
an
oss
badge
for
contributors
or
something
that
they
can
show
up,
show
show
on
their
repo,
like
github
badge
or
something
no.
D
I
don't
I'll
say
even
though
I
said
the
words
it
would,
they
can
add
a
badge
to
their
profile.
I
I
don't
know
that
answer.
B
I
I
have
some
experience
in
how
to
set
up
a
badging
system,
although
to
be
fair,
we
one
of
the
things
we
did.
We
we,
I
use
fastly
so
that
you
know
a
cdn
so
that
we're
not
actually
trying
to
directly
serve.
You
know
so
that
the
badge
value
changes
as
the
project
changes,
but
we
don't
actually
have
to
serve
the
data
directly
because
otherwise,
oh
my
goodness,.
B
So
happy
to
talk
on
another
time.
If
you
want
to
go
down
that
road.
D
That
that
sounds
great
and
you
know
I
think,
giving
folks
the
ability
to
to
just
show
that
this
is
a
project
they
contribute
to
benefits
both
ways.
You
know
it's
certainly
good
for
the
individual,
but
it's
also
just
you
know
good
for
for
getting
our
own
projects
out
there.
E
D
B
Yeah
so
we'll
just
have
to
be
careful
about
terminology,
because
we
have
a
best
practices
badge
and
then
there's
a
scorecards
badge,
and
I
think
that's
perfectly
understandable.
I'm
hoping
I'm
big
on
me
trying
to
make
sure
that
different
things
have
different
names
because
it
gets
confusing.
Otherwise,.
D
E
Cool
navin:
do
you
want
to
move
your
screen
back
to
the
agenda.
A
And
I
had
a
question
on
that
on
the:
can
you
go
back
to
that
screen
and.
A
Yeah
in
here
actually
for
the
contributor,
I'm
trying
to
understand
you
know
the
difference
between
the
contributor
like
as
defined
here
versus
you
know,
someone
who
just
creates,
like
let's
say
one
or
two
yeah
so
because
there's
probably
a
level
where
someone,
let's
say
just
creates
a
pr
once
and
and
so
in
terms
of
the
recognition
and
stuff
like.
I
can't
quite
differentiate,
because
even
if
you
get
added
as
a
outside
collaborator
since
it's
in
public
repository,
I
don't
know.
If
that
makes
a
difference.
A
D
I
think
it's
a
good
question.
I
I
don't
know
that
I
can.
I
can
channel
jeff
enough
to
answer
it.
I'm
not
sure
if,
like
on
the
scorecard
side,
I
think
there's
a
similar
aspect
to
this,
like
someone
shows
up
and
tries
to
contribute.
D
My
my
understanding
is
that
you
know
tests
don't
run
automatically
until
someone
clicks.
Yes
is
a
maintainer.
C
Yes
to
varun
to
that
question,
take
example:
I
I'm
just
hypothetically
speaking,
I
become
a
contributor
to
all-star,
not
an
approver,
not
a
maintainer
and
varun
happens
to
do
a
first-time
pull
request
and
I,
as
a
contributor
has
somebody
has
hit
the
button
to
approve
test
to
run
and
because
I
am
a
contributor
or
not
an
approver
or
a
maintainer
or
a
pro
meeting.
I
should
still
be
able
to
do
it.
There's
going
to
be,
I
can
hit
that
button
that
allows
that
individual
that
I
can
approve
varun's
test
first
pr
to
run
test.
C
That's
that's
the
difference
that
jeff
is
trying
to
do.
A
D
Otherwise,
let's
move
on
to
put
it
in
put
it
in
the
pr,
if
you,
if
you
think
of
something
right
after
the
meeting
that
you
know
you'd
like
to
bring
up
otherwise,
I
think
we'll
do
our
best
to
close
it,
and
then
you
know
we'll
use
it
as
the
working
model.
Unless
you
know
something
else,
changes.
C
K
K
So
so
currently,
I'm
adding
the
unit
test
and
the
end-to-end
test
onto
the
function
api.
K
So
you
can
see
the
you
can
see
the
function
there
following
the
apis
link.
K
And
the
link
yeah
yeah
yeah
yeah.
It
should
be
this
one,
so
this
is
not
like
what
it
will
be
look
like
in
the
version
zero,
but
like
using
this
api,
we
can
get
the
dependency
changes
of
the
two
code
commits
and,
along
with
the
scorecard
check
for
like
every
dependency.
K
So
I
think
the
version
zero,
like
the
first
version,
will
be
merged
into
the
scorecard
repo
pretty
soon,
and
I
think,
like
next
steps
for
the
next,
I
think
maybe
allstar
could
use
this
to
enforce
his
policies
and
the
next
step,
I'm
gonna,
I'm
going
to
do-
is
to
use
this
api
in
the
scorecard
action
ripple
to
visualize
the
dependency
changes
in
the
pr
so
yeah.
I
think
that
would
be
the
version
0
of
this
feature
and
for
like
version
one
after
the
api
is
in
production.
K
I
can
use
the
api
to
replace
the
you
know
the
current
like
the
current
code
in
version
zero,
so
in
version
zero,
I'm
basically
running
the
scorecard
checks
on
average
dependency,
and
that
would
be
pretty
like
pretty
time
consuming.
So
I
hope,
like
in
future
versions.
K
I
can
use
the
rest
api
to
replace
this
part,
and
another
thing
in
future
versions
might
be
use
the
rest
api
and
use
the
bigquery
data
set
to
find
the
source
like
the
source
ripple
urls
or
for
the
dependencies
like
like
the
current
issue
of
the
github
dependency
review
api.
Is
that,
like
in
my
testing,
when
I
have
like
about
100
dependencies
about,
like
20
of
them,
will
like
have
an
invalid,
url
or
or
just
like,
like
doesn't
have
a
url?
K
So
I
I
I
think,
like
in
future
versus
versions,
we
can
also
use
the
rest
api
to
supplement
the
source
repo
url
for
those
dependencies
like
the
last
thing
is,
maybe
we
can
you
know,
change
the
dependency
data
source
api
like
with
maybe
like
better
ones,
since
there
are
like
some
issue
with
the
current
one.
K
Yeah,
I
think
these
are
all
of
the
updates
of
the
feature
I'm
working
on.
So
is
there
any
questions
or
feedbacks.
C
I
have
a
question
on
this
aiden.
Thank
you
for
the
update.
Is
this
configurable,
so
I
don't
like
example,
especially
in
the
action,
should
be
able
to
opt
in
for
this
like
or
to
opt
in
and
opt
out.
Not
everybody
wants
to
do
this.
Is
this
configurable?
I
just
want
to
make
sure
that's
how,
when
you
plan
your
action,
that
this
is
configurable
option.
K
Yeah,
actually,
I
haven't
started
on
the
action
part,
but
I
think
I'll
make
it
configurable,
yeah,
okay,
okay,
just
want
to
make
sure
all
right,
yeah.
Of
course,
nice
thanks.
C
Because
people
can't
like,
if
I'm
that's,
hypothetically
speaking
any
of
my
s,
my
petco
projects
have
about
40
dependencies
every
time.
If
I
do,
I
have
to
do
a
pr,
and
if
it's
kono
opt
out,
it's
going
to
run
40
times
x
calls
it's
going
to
run
out
of
my
tokens,
so
people
have
to
opt
in
to
this
and
not
opt
out.
C
That's
that's
the
only
reason
if
it
had
been
if
there
was
no,
if
there
wasn't
any
I'm
talking
about
40
is
because
the
transit
of
dependencies
that
could
cause
all
these
problems.
If,
if
I
have
to
pull
in
cosine,
it
brings
in
400
dependencies,
so
that's
the
reason
it'll
likely
fail
because
of
my
I'll
be
out
of
tokens.
E
Right
yeah,
I
think
we
can
also
have
a
cap
on
the
number
of
time
we
actually
run
like
we're,
not
gonna,
run
it
on
500
dependencies
yeah.
I
think
also
on
pull
request
a
lot
of
the
time
you
you
use
the
github
token,
so
you
have
less
rate
limiting,
not
all
the
time.
So
it
depends
if
you
have
a
pull
request
from
a
remote
branch
or
from
a
local
branch.
E
So
that
could
also
matter
yeah
because
I
think
having
it
enabled
by
default
will
also
be
nice.
If
people
start
seeing
it
and
we
don't,
we
don't
have
like
we
don't
have
to
show
500
results.
We
can
say
we
take
the
first
10
if
it's
too
big
or
we
just
wait
until
we
have
the
the
rest
api
to
really.
K
Yeah
but
yeah,
that's
good,
yes,
so
for
the
time
usage
so
like
in
my
testing,
when
there's
like
more
than
100
dependencies,
I
remember
the
version.
Zero
runs
more
than
like
30
minutes
and
yeah.
I
didn't
finish
at
the
end,
but
hit
the
token
rate
limiting.
So
I
would
say
like
without
the
rest.
Api
like
running
scorecard
checks
on
every
dependency
might
be
a
nasty
problem.
Yeah.
E
K
It
actually,
it
actually
depends
on
the
you
know,
the
ecosystem,
we're
checking
like
like
the
thing
about
the
github
api.
Is
it
only
uses
the
manifest
file,
rather
than
the
log
file,
to
give
the
results
and
for
ecosystem
like
go
like
the
go?
Mod
would
include
both
direct
direct
and
indirect
dependencies,
but
like
for
ecosystem
like
python,
like
the
python
manifest
file
only
includes
the.
K
K
E
C
Lot
and
aiden-
I
saw
the
ayden
feature
like
that
weekend
was
I
hit
up
lauren
and
said
I'm
working
on
this
offline.
Obviously,
and
thanks
to
aiden
I
got
that
there's
something
to
push
me
in.
It
was
aiden
thanks,
aiden
yeah.
E
I
guess
no
questions
so
we're
looking
for
a
facilitator
for
next
before
the
next
meeting.
Is
anyone
interested
in
being
the
facilitator?
I
think
by
now
you
all
know
what
what
that
means.
It's
just
basically
what
I
did
today
asking
people
on
each
item
to
talk
about
so
nothing,
nothing
very
complicated.
Is
anyone.
F
G
So
yeah
I
I
I
just
really
we'll
all
be
in
a
summit
two
weeks
later,
so
I'm
not
sure.
If
we'll
I
mean
we
should
still
figure
out
who
the
next
facilitator
should
be,
but
maybe
it'll
be
a
month
later,
just
fyi.
E
E
Give
it
to
them
that
works,
so
we
will
have
navin,
be
the
facilitator,
and
if
someone
wants
to
jump
in
we'll
yeah
just
write
it
in
the
dock
cool.
Well.
Thank
you.
Thank
you.
So
much
everyone.