►
From YouTube: Scorecards Biweekly Sync (July 14, 2022)
A
D
C
C
B
B
C
E
E
E
B
Yeah
yeah,
so
basically
the
open
ssf,
actually
in
there
in
the
charter,
it
says
that
we're
supposed
to
have
all
our
projects
doing
dcos
you're,
I
think
actually,
probably
a
lot
of
you
are
familiar
with
it.
But
this
is
the
signed
off
by
colon
name
and
email
at
the
end
of
commit
messages,
and
that
just
asserts
that,
yes,
this
commit
I'm
I'm
proposing
is
in
fact
something
I'm
legally
allowed
to
add,
and
this
was
a
this
was
a
it's
not
hard
to
do.
B
B
The
the
point
is
we're
not
trying
to
make
force
people
out
of
legal
names.
I
know
there's
a
lot
of
sensitivities.
That's
not
the
point.
That
is
not
a
requirement.
In
fact,
if
you
look
at
the
pull
request
it
talks
about
that
you're
not
obligated
to
you
know.
The
email
just
has
to
just
has
to
be
something
that
works
to
contact
you,
and
the
name
has
to
be
something
that
is
people
use
to
identify
you.
It
doesn't
have
to
be
what's
on
your
passport
or
anything
like
that.
G
B
I'm
dancing
over
a
lot
of
complicated
issues,
but
we
can
get
into
that.
But
if
we're
going
to
really
delve
into
it,
we
probably
need
more
time
happy
to
do
that,
but
just
I
think
that
there's
a
longer
list,
so
if
we're
going
to
delve
in
then
I
would
recommend
we
come
back
to
this.
So
we
can
give
that
more
appropriate
time.
H
B
You
know
what,
since
it's
coming
up
pretty
soon,
I'm
not
sure
that's
worth
trouble
because
then
you,
I
honestly,
don't
know
what
happens
if
both
the
org
and
the
repo
installs,
I
guess
there
is
a
way
to
find
out
but
how's
this.
What
I
would
suggest
is
just
start
doing
the
signed
off
buys
and
if
that's
a
problem
for
somebody
I
mean
literally
it's
one
line
of
text
and
get
will
automatically
add
it
for
you
and
when
we
do
this
at
the
github
level.
B
E
C
Thank
you,
so
I
I
wrote
a
design
doc
and
made
a
small
demo.
Specifically,
I
shared
the
design
dog
with
the
google
group,
so
essentially,
people
have
signed
up
to
the
google
group
should
be
able
to
should.
I
should
be
able
to
read
this.
It's
shared
to
the
entire
google
group,
so
say
anybody
who
should
be
able
to
read
this
and
comment
on
this.
The
goal
of
this
is
to
essentially
make
the
bigquery
data
available
as
an
api.
C
I
just
get
api,
not
a
post
or
push
any
of
that
just
to
get
so
that
lots
of,
at
least
in
my
opinion,
people
can
use
this
so
essentially
to
do
stuff.
I've,
given
the
reasons
I'm
not
going
to
read
through
this
as
to
why
how
it
is,
but
just
want
to
escape
some
reasons
how
this
can
be
utilized
for
all
purposes,
to
essentially
make
life
for
people's
life
much
more
easier
and
before
diving
into
what
the
api
should
be.
I
came
up
with
some
of
the
critical
needs
of
hey.
C
The
api
should
be
version
because
we
don't
I'm
sure,
giving
an
example.
Scorecards
json
had
an
lds
so
up
until
this
march,
so
so
we
should
version
our
ips
so
that
if
and
when
we
break,
we
should
be
able
to
do
that.
Second
thing
is:
we
should
be
able
to
access
the
apis
without
any
tokens.
How
similar
to
what
osp
does
giving
example,
and
last
but
not
least,
another
critical
thing
is
we
want.
C
We
should
be
able
to
support
for
very
high
availability,
because
people
are
going
to
ddas
it
and
should
be
able
to
support
two
to
three
million
records,
so
the
simplest
solution
from
this
is
scorecard
crown
runs
weekly
scans
of
a
million
records.
We
take
that
I'm
just
going
going
over
high
level
overview.
We
take
that
score.
The
quran
has
an
option
to
export
these
workouts
to
a
gcs
bucket.
So
you
can
say
it's
a
it's
a.
C
I
gave
out
an
example
how
to
export
this.
This
is
the
example
of
how
to
export
something
exports
in
this.
In
this
example,
it
exported
about
3500
json
files,
and
I
wrote
code
to
take
that
and
dump
it
to
another
bucket,
which
happened
to
be
ossf
scorecard.
again,
this
is
not
official.
This
is
my
domain.
C
I
just
created
something
just
so
that
to
prove
the
point
and
it
it
I
was
able
to
dump
all
of
that
and
the
and
here's
the
bucket
size
and
what
it
is
right
now
I
was
able
to
dump
about
a
1.2
million
records
with
about
8.5,
8,
gb
and-
and
here
is
what
the
json
would
look
like,
and
this
is
just
the
big
ready
data.
There's
got
nothing
to
do
with
anything
else
on
this.
That's
what
it
is
on
this.
This
is
my
proposal.
C
Essentially
they
say
hey.
This
would
be
a
great
option
to
what
already
azim
and
team
are
building
on.
On
the
other
end,
plugging
this
in
with
respect
to
the
api
that
they're
building
on
for
plugging
this
data
in
if
the
scorecard
does
not
scorecard
action,
is
also
coming
up
with
giving
a
git
api
and
a
post
api.
But
if
people
aren't
running
this
cold
card
action,
we
should
still
be
able
to
utilize
this.
I'm
gonna
pause
right
now.
Let
people
ask
questions
if
they
have
any
questions.
E
C
Sorry,
okay,
so
now
this
is.
This:
is
my
code
running
on
a
on
a
on
a
on
a
compute
and
since
as
a
just
a
just
a
console
app?
So
this
has
to
be
this
has
to
go
into
our
cron.
Then
there
needs
to.
We
need
to
figure
out
whether
it
needs
to
be
a
pub
sub
how
to
run
this
concurrently.
This
took
about
36
hours
to
run
because
it
sequentially
ran
one
single
file
on
each
one
of
that
took
about
36
hours
to
run,
which
is
like
no.
A
Go
ahead,
I'm
just
curious.
What
would
get
request
look
like
so,
for
example,
like
let's
say
a
package
manager
wants
to
get
the
results
for
a
particular
package
and
the
versions
which
is
it
like.
You
can
specify
the
package
name
and
the
version.
Oh
right
now
sorry
go
ahead
or
is
it
like?
You
know,
based
on
the
report
repository.
C
C
Json
and
that's
what
it
is
so
so
it
it
does
not
have
the
package
name,
it
does
not
have
the
comment.
Shy
does
not
have
all
of
that,
but
for
get
go
we
just
have
if
it's
like,
whatever
the
fqdns
slash
version,
if
it's
right
now
it
supports
github
like
right
now
scorecard
does
only
get
out
tomorrow.
If
we
decide
to
go,
do
gitlab,
we
could
be
able
to
that's
the
naming
that
we're
thinking
of
right
now.
Did
I
answer
your
question
on
that
yeah.
B
J
Do
you
have
a
question
yeah?
I
know
this.
This
looks
awesome
right,
so
I
have
one
question.
So
the
the
all
this
crown
job
is
going
to
basically
run
every
given
period
and
it's
going
to
so
you
are
envisioning
that
it
will
override
the
existing
record
or
there
is
some
value
with
the
historical
record.
Okay
for
now.
C
C
Yes,
right
maybe
at
some
point,
but
maybe
absolutely
absolutely
absolutely
so
we
should
be
able
to
get
from
a
kamisha
and
I
already
did
speak
to
azima.
There's
azimus
a
lot
more
plans
on
this.
Sorry,
I'm
not
going
to
talk
foreign,
but
that's
that's
the
end
goal
but
agreed
absolutely.
Okay,
yep
thanks.
C
E
C
Like
three
yeah
like
it
should
not
take
itching
that
I'm
gonna,
I'm
gonna
start
soon
working
on
this,
it
should
not
take
three
months
at
all.
It's
not!
I
will,
I
think
again,
I'm
probably
max
a
month,
but
still
all
these
things
have
to
be
figured
out
and
all
that,
but
I
don't
think
it's
a
three
month
phone.
Oh
no
way,
it's
not
that
much
cool.
E
E
E
C
Raga's
fix
took
care
of
the
product
protoss
issue,
thanks
raghav
on
that,
so
we
don't
have
proto-c
failures.
I
was
looking
at
that
rate.
Limiting
is
causing
problems
thanks,
raghav
rate
limiting
is
causing
problems
and
because
I'm
sorry
I'm
gonna.
I
I
opened
a
couple
of
issues
on
this.
I'm
gonna,
I'm
gonna
unpack
what
I've
been
digging
in
this.
C
We
got
about
15,
dependable
prs
and
every
time
I
upload
something
and
it
gets
merged
in
everything
gets
rebased.
When
it
starts
rebasing,
we
got
about
20
different
actions
that
they
have
to
concurrently
run
their
ddosing
action
runs,
and
so
we're
hitting
rate
limiting
on
that.
So
that
is
the
specifics
on
right
now,
but
right
now
we
don't
have
withdraga's
fix.
We
don't
have
any
more
protoc
failures,
at
least.
C
A
couple
of
things
is:
we
are
constantly
running
for
everything,
there's
a
patch
filter
that
can
reduce
our
number
of.
We
can
look
on
my
work
with
use
this
pure
leaf
to
reduce.
If
it's
go
code
only
then
run
those
things.
If
it's
something
so
we
can
utilize
this
another.
One
thing
that
laurent
has
or
another
project
is
the
salsa
right
now
recently-
oh
my
god,
sorry
recently
moved
to
runaway,
which
gives
the
advantage
of
summing
up
all
of
this
into
one
single
pr.
C
C
B
Well,
it
seems
like
the
real
problem
is
the
rate
limit.
I
I
I
haven't
had
any
trouble.
I
actually
like
having
separate
prs
for
different
things
to
update,
because
you
know
sometimes
one
thing
works
and
another
doesn't.
If
you
try
to
bundle
it
all
up,
you're,
just
increasing
the
likelihood
of
it
exploding,
but
I
do
understand
the
rate
limits
are.
E
B
C
We
do,
we
do
have
a
bot
account
like
stephen
openly
created
a
bot
account,
but
then
we've
been.
We
were
waiting
for
oasis
of
folks
to
go,
get
a
license
for
us
for
the
password
manager,
and
it
just
didn't
happen,
but
that'll
be
great.
If
we
can
use
a
bot
account
instead
of
us
using
our
personal
tokens.
B
Yeah
would
you
I
would
call
up
jen
bonner.
She
probably
won't
be
able
to
do
it
directly,
but
hopefully
she'll
be
able
to
contact
someone
who
will
you
know
give
her
give
her
the
details.
You
know
we
try
to
make
sure
things
get
done,
but
things
do
get
dropped
and
we
apologize.
So
you
know,
let's
get
it
done.
I
B
E
E
They
also
have
another
another
open
feature
which
is
related
to
that
where
you
can
batch
pull
requests
together,
and
I
feel
that
that
would
also
help
people
who
have
hash
pinning,
because
we
we
ask
people
to
do
hash
pinning,
but
the
reality
is
it's
really
really
tough
with
all
these
requests
that
come
in.
So
if
you
could
batch
pr
in
a
way
it
would
be
great
and
they
have
a
feature
there.
E
E
B
J
E
And
I
think
also
something
that
would
be
really
useful
is
if
you
can
have
a
template
on
the
open.
Ssf
of
you
know
how
to
configure
it
and
like
a
good
default
configuration,
because
that
also
takes
time
and
they
have
docs,
but
they
didn't
pick
up
on
everything
that
we
wanted
to
do,
for
example,
even
though
they
have
some
heuristics
so
having.
E
B
E
D
So
I
can
walk
through.
Essentially
what
the
proposal
is
really
from
this
group.
We
would
like
to
know
if
people
have
any
suggestions.
Improvements
concerns
if
it
looks
good.
This
whole
contributor
ladder
is
based
on
the
idea
that
that
we
are
going
to
keep
scaling
up
our
community
of
people
that
are
contributing
to
projects
both
all-star
and
scorecard,
but
we're
starting
with
all-star.
D
D
At
this
point,
you
know
we're
still
a
small
group
relatively
speaking.
This
is
just
us
getting
something
in
place,
so
that
is
people
come
along
and
and
would
like
to
contribute
and
are
asking
you
know:
how
can
they
go
about
kind
of
graduating
up
the
ladder
we
we
have
a
pre-prepared
template
to
go
off
of.
We
expect
that
it
could
change
over
time,
but
right
now
having
something
over.
Nothing
is
is
what
drove
us
to
put
out
this
draft,
and
basically,
if
people
have
concerns,
we
can
iterate
on
it.
D
We
can
have
that
discussion
here.
We
should
also
pack
that
with
comments
in
the
pull
request
itself,
if
you
have
points
to
make,
but
that
is
the
the
gist
of
the
proposal
that
that
we
want
to
get
an
initial
contributor
ladder
out
there
for
all-star
three
basic
levels:
I'll
open
up
the
floor
to
any
thoughts
comments
concerns
at
this
point.
C
D
This
yeah
I'll,
say
jeff
deserves
all
the
credit
on
this
one.
He
he
put
together
the
table
and
the
proposal.
It
just
happened.
He
couldn't
make
this
meeting
so
I
I
had
the
privilege
of
presenting
it.
I
think
naveen,
if
you
want
to
just
stick
that
in
a
in
a
comment
that
is
certainly
one
of
the
more
adjustable
pieces
you
know
of
of
this
contributor
ladder.
B
C
D
B
D
D
B
I
I
have
some
experience
in
how
to
set
up
a
badging
system,
although
to
be
fair,
we
one
of
the
things
we
did.
We
we,
I
use
fastly
so
that
you
know
a
cdn
so
that
we're
not
actually
trying
to
directly
serve.
You
know
so
that
the
badge
value
changes
as
the
project
changes,
but
we
don't
actually
have
to
serve
the
data
directly
because
otherwise,
oh
my
goodness,.
D
E
D
B
Yeah
so
we'll
just
have
to
be
careful
about
terminology,
because
we
have
a
best
practices
badge
and
then
there's
a
scorecards
badge,
and
I
think
that's
perfectly
understandable.
I'm
hoping
I'm
big
on
me
trying
to
make
sure
that
different
things
have
different
names
because
it
gets
confusing.
Otherwise,.
D
A
Yeah
in
here
actually
for
the
contributor,
I'm
trying
to
understand
you
know
the
difference
between
the
contributor
like
as
defined
here
versus
you
know,
someone
who
just
creates,
like
let's
say
one
or
two
yeah
so
because
there's
probably
a
level
where
someone,
let's
say
just
creates
a
pr
once
and
and
so
in
terms
of
the
recognition
and
stuff
like.
I
can't
quite
differentiate,
because
even
if
you
get
added
as
a
outside
collaborator
since
it's
in
public
repository,
I
don't
know.
If
that
makes
a
difference.
A
D
D
C
Yes
to
varun
to
that
question,
take
example:
I
I'm
just
hypothetically
speaking,
I
become
a
contributor
to
all-star,
not
an
approver,
not
a
maintainer
and
varun
happens
to
do
a
first-time
pull
request
and
I,
as
a
contributor
has
somebody
has
hit
the
button
to
approve
test
to
run
and
because
I
am
a
contributor
or
not
an
approver
or
a
maintainer
or
a
pro
meeting.
I
should
still
be
able
to
do
it.
There's
going
to
be,
I
can
hit
that
button
that
allows
that
individual
that
I
can
approve
varun's
test
first
pr
to
run
test.
A
D
C
K
K
So
I
think
the
version
zero,
like
the
first
version,
will
be
merged
into
the
scorecard
repo
pretty
soon,
and
I
think,
like
next
steps
for
the
next,
I
think
maybe
allstar
could
use
this
to
enforce
his
policies
and
the
next
step,
I'm
gonna,
I'm
going
to
do-
is
to
use
this
api
in
the
scorecard
action
ripple
to
visualize
the
dependency
changes
in
the
pr
so
yeah.
I
think
that
would
be
the
version
0
of
this
feature
and
for
like
version
one
after
the
api
is
in
production.
K
K
I
can
use
the
rest
api
to
replace
this
part,
and
another
thing
in
future
versions
might
be
use
the
rest
api
and
use
the
bigquery
data
set
to
find
the
source
like
the
source
ripple
urls
or
for
the
dependencies
like
like
the
current
issue
of
the
github
dependency
review
api.
Is
that,
like
in
my
testing,
when
I
have
like
about
100
dependencies
about,
like
20
of
them,
will
like
have
an
invalid,
url
or
or
just
like,
like
doesn't
have
a
url?
K
C
I
have
a
question
on
this
aiden.
Thank
you
for
the
update.
Is
this
configurable,
so
I
don't
like
example,
especially
in
the
action,
should
be
able
to
opt
in
for
this
like
or
to
opt
in
and
opt
out.
Not
everybody
wants
to
do
this.
Is
this
configurable?
I
just
want
to
make
sure
that's
how,
when
you
plan
your
action,
that
this
is
configurable
option.
K
C
Because
people
can't
like,
if
I'm
that's,
hypothetically
speaking
any
of
my
s,
my
petco
projects
have
about
40
dependencies
every
time.
If
I
do,
I
have
to
do
a
pr,
and
if
it's
kono
opt
out,
it's
going
to
run
40
times
x
calls
it's
going
to
run
out
of
my
tokens,
so
people
have
to
opt
in
to
this
and
not
opt
out.
C
That's
that's
the
only
reason
if
it
had
been
if
there
was
no,
if
there
wasn't
any
I'm
talking
about
40
is
because
the
transit
of
dependencies
that
could
cause
all
these
problems.
If,
if
I
have
to
pull
in
cosine,
it
brings
in
400
dependencies,
so
that's
the
reason
it'll
likely
fail
because
of
my
I'll
be
out
of
tokens.
E
Right
yeah,
I
think
we
can
also
have
a
cap
on
the
number
of
time
we
actually
run
like
we're,
not
gonna,
run
it
on
500
dependencies
yeah.
I
think
also
on
pull
request
a
lot
of
the
time
you
you
use
the
github
token,
so
you
have
less
rate
limiting,
not
all
the
time.
So
it
depends
if
you
have
a
pull
request
from
a
remote
branch
or
from
a
local
branch.
E
K
Yeah
but
yeah,
that's
good,
yes,
so
for
the
time
usage
so
like
in
my
testing,
when
there's
like
more
than
100
dependencies,
I
remember
the
version.
Zero
runs
more
than
like
30
minutes
and
yeah.
I
didn't
finish
at
the
end,
but
hit
the
token
rate
limiting.
So
I
would
say
like
without
the
rest.
Api
like
running
scorecard
checks
on
every
dependency
might
be
a
nasty
problem.
Yeah.
E
K
It
actually,
it
actually
depends
on
the
you
know,
the
ecosystem,
we're
checking
like
like
the
thing
about
the
github
api.
Is
it
only
uses
the
manifest
file,
rather
than
the
log
file,
to
give
the
results
and
for
ecosystem
like
go
like
the
go?
Mod
would
include
both
direct
direct
and
indirect
dependencies,
but
like
for
ecosystem
like
python,
like
the
python
manifest
file
only
includes
the.
K
E
C
E
I
guess
no
questions
so
we're
looking
for
a
facilitator
for
next
before
the
next
meeting.
Is
anyone
interested
in
being
the
facilitator?
I
think
by
now
you
all
know
what
what
that
means.
It's
just
basically
what
I
did
today
asking
people
on
each
item
to
talk
about
so
nothing,
nothing
very
complicated.
Is
anyone.