►
From YouTube: Scorecards Biweekly Sync (March 23, 2023)
A
B
A
Okay,
welcome
everyone,
so
I'm
facilitating
hi,
I'm,
Caroline
I
tend
to
kind
of
lurk
in
these
meetings,
but
today
I'm
facilitating
I'm
from
IBM,
so
good
to
see
you
all
next
is
if
anyone's
new
feel
free
to
introduce
yourself.
C
Hi
I'm
namita-
and
this
is
my
first
time
attending
this
meeting-
I've
been
part
of
like
the
best
practice.
I
mean
I've,
been
attending
the
best
practices,
working
group
and
yep.
It's
my
first
time
here
and
I.
Look
forward
to
you
know
see
where
this
goes.
I
mean
I'm
just
trying
to
understand
how
this
works
for
now.
D
A
Great
welcome
and
you
should
all
get
on
the
dock
and
Mark
yourself
as
an
attendee
as
well.
If
you'd
like
there
should
be
a
link
to
the
doc
in
the
slack
Channel
or
just
ask
us
and
I'm
sure
we
can
give
you
the
link
in
the
chat.
A
E
B
A
G
I
I
can
go
first
and
I
can
provide
a
general
update
on
what
we've
been
doing
at
step
security
so
for
context.
Dev
security
is
an
open
core
startup
and
our
focus
is
on
providing
remediations
for
scorecard
checks,
and
currently
we
offer
four
remediation.
So
the
idea
is
that
we
want
open
source
communities
and
developers
to
basically
improve
their
scorecard
score
with
ease
through
automation
and
so
on
that
front.
Last
week
we
met
with
node.js
security
working
group
and,
as
as
you
may
know,
they
are
there
right
now.
G
You
know
like
in
the
process
of
enabling
scorecard
across
the
repositories,
and
we
discuss
you
know
like
how
how
they
can
actually
enable
scorecard
and
how
they
can
improve
their
score
using
using
Automation
and
the
plan
is
to
actually,
you
know
like
going
forward,
select
some
of
the
repositories
and
then
try
out
these
scenarios.
G
The
other
thing
is,
we
are
also
looking
at.
You
know
like
new
automation
scenarios
for
scorecard,
so
we
went
through
the
the
existing
issues.
G
And
sorry
I,
and
we
saw
that
there
are
discussions
around
s-bomb
and
YDC
and
I
believe
those
are
not.
Those
have
not
been
added
as
new
checks
in
scorecard,
but
this
is
something
you
know
that
we
are
also
interested
in
exploring
as
to
how
we
can
automatically
enable
these
features.
On
behalf
of
on
behalf
of
the
developer
and
one
thing
that
we
that
we
plan
to
do
in
the
near
future
is
we
will
be
adding
a
remediation
step
for
code
owners
file,
which
I
believe
is
required
for
the
branch
production
test.
G
Because
for
branch
protection
you
need
elevated
access,
but
depending
upon
the
repository
and
who
has
contributed
in
the
Givens
folder,
we
are
planning
to
introduce
the
remediation
to
automatically
create
code
owner
files
and
I.
Would
love
to
you
know,
get
any
any
feedback
you
may
have,
or
you
know
anything
in
particular,
we
should
be
focusing
on
I
just
wanted
to
provide
a
general
General
update
to
the
community.
E
I
have
a
question
yeah,
so
if
you,
if
you're
seeing
the
code
owners
file,
I
again
I'm
sure
asking
this
question
because
I'm
being
I'm
trying
to
understand
just
because
I've
done
about
10
comments,
what
is
your
parameters
to
pick?
Somebody
as
a
code
owner
to
your
part
of
me
tries
like
I
could
just
be
contributing,
wouldn't
want
to
become
a
committer
or
any
of
that
we
thought
of
that,
especially
when
you
generalize
and
different
organizations
have
different
size
to
say.
E
G
Have
yeah
that's
a
great
question
and
we
are
very
early
into
our
design,
but
the
idea
is
that
we
want
to
provide
an
easy
to
use
interface,
and
you
know
one
thing
we
could
do
is
we
could
take
a
look
at
the
repository
and
then
figure
out
who's
actually
approving
these
PRS
or
who's.
Creating
these
comments
and
sort
of
you
know
provide
an
easy
way
to
project
maintenance
to
select.
G
You
know
like
a
list
of
users
who
should
be
part
of
a
code
owner's
file
and
I
agree
with
you
know,
like
different
organizations
and
different
open
source
communities
have
different
requirements,
and
that
is
something
that
we
need
to
figure
out.
But
once
we
have,
you
know
like
more
concrete
details
on
the
implementation.
I
would
love
to
come
back
and
and
get
more
feedback,
but.
E
A
F
Yeah,
just
a
quick
shout
out
to
Naveen
for
fixing
the
go
release
Direction
another
new
scorecard
release
and
that
we
should
probably
do
an
action
release
as
well,
so
that
people
can
use
the
new
scorecard.
E
The
reason
like
the
reason,
I
don't
bump
these
cool
color
action
immediately
is
the
same
reason.
Things
break.
You
just
want
to
wait
at
least
two
three
weeks
for
people
to
start
consuming
and
then
probably
it
could
weak
on
that
note
spin.
So
we
could
probably
release
release
it
to
a
main
branch
and
test
the
main
branch
in
scorecard,
at
least
as
a
beta
before
we
I.
Don't
because
if
you
don't
release
the
action,
it
should
not
be
a
problem.
F
All
right,
yeah,
that
makes
sense.
There
was
one
change
that
sort
of
increased
API
usage,
so
it
might
be
worth
getting
another
patch
update
for
scorecard
and
then
can
bump
it
for
the
action
and
let
the
n10
test
go.
A
I
think
that
was
the
last
bullet,
so
if
anyone
else
wants
to
speak,
feel
free.
H
H
There's
some
connections
that
I
I
think
will
be
good
to
have
will
be
kind
of
trying
to
invite
more
people
to
the
meeting.
Different
ospos
were
interested
and
we
got
a
chance
to
just
talk
with
maintainers
more
directly,
so,
basically
a
talk.
We
will
plan
to
do
again,
we'll
be
we'll
be
having
a
similar
talk
at
RSA
next
month,
but
Naveen.
If
you
want
to
add
anything
to
that,
was
that
was
just
a
very
high
level
kind
of
overview.
E
Absolutely
there's
one
other
thing
that
I
want
to
add
is.
This
is
not
a
very
large
vendor
driven
conference
for
that
we
had
a
probably
about
35
people
in
the
room
30
to
35
people,
which
was
good
for
not
a
very
large
conference
at
that
too.
This
was
that
5
p.m
or
5
p.m.
On
a
Saturday
evening,
we
have
about
35
people.
E
Just
that
was
one
thing
that
I
wanted
to
add.
I
was
surprised
to
be
honest
on
that
front,.
I
I
had
one
item:
I
was
gonna,
bring
up
iPod,
so
I
showed
a
little
late.
You
know
with
the
work
that's
been
happening
on
gitlab
support.
What
is
an
appropriate
time
to
try
to
bring
gitlab
into
this
discussion?
Be
it
either
because
you
want
to
have
you
know
a
token
with
a
higher
rate
limit
on
it
or
because
we
want
to
engage
by
getting
them
to
maybe
include
scorecard,
as
some
of
their
default.
Ci
templates
I'm
happy
to
try
to
push
that
to
happen.
I
I
just
don't
want
to
jump
the
gun
before
maybe
hook
skill.
It's
at
that
point
to
start
that
discussion
I
think
it's
always
good
to
Prime
the
discussion,
so
they
know
that's
happening
and
then
maybe
they're
interested
in
jumping
into
and
helping,
but
I
wanted
to
see
what
U.S
maintainers
feel
it's
appropriate.
J
So
I
can
speak
to
that.
So
we
are
starting
to.
We
are
starting
off
with
like
a
small
list
of
git
lab
repos
and
like
starting
to
analyze
that
similar
to
what
we
did
with
GitHub,
and
you
know
having
this
available
on
depths.dev
I
know
there
is
a
parallel
discussion
happening
between
gitlab
and
openssf
about
getting
a
API
token,
which
is
not
something
I'm
directly
involved
in,
but
yeah
that
that
might
be
a
pretty
helpful
thing
to
get
from
gitlab
to
kind
of
scale.
J
This
up,
so
yeah
I
mean
I
I.
Think
I
can
the
tldr
here
is
that
we
have
a
few
checks.
That
kind
of
you
know
map
one
to
one
parity
with
with
respect
to
GitHub
and
that
those
will
be
the
checks
we
are
going
to
start
out
with,
and
that
should
be
available
on
desktop
Dev
soon,
but
there
might
be
checks
that
we
don't
have
parity
on.
J
For
example,
we
saw
that
there
are
some
features
not
available
on
gitlab
graphql
right
like
things
that
are
not
making
not
allowing
us
to
make
the
request
that
we
would
have
made
on
GitHub
like
an
equivalent
request.
J
So
these
might
be
some
things
that,
as
as
we
kind
of
come
across
them,
we
can
probably
work
with
somebody
on
gitlab
side
and,
like
figure
out,
if
there's
any
extra
support
that
we
can
get
from
gitlab
so
yeah,
that's
that's
the
short
update
I.
Have
there.
I
Yeah
I
know
some
of
the
books
that
I
work
with
who
aren't
here,
but
like
Keith,
Ginger
and
Jim
Robson
attendant
in
the
past,
who
will
be
helping
Implement
some
of
those
additional
checks,
I
think
now
that
kind
of
the
Baseline
work
is
in
they'll
be
jumping
on
some
of
those
to
help
out,
and
then
you
know,
from
my
perspective,
I'm
pushing
hard
for
forget
about
support
me
because
that's
where
my
company
predominantly
Works,
so
I
will
probably
mix
some
inroads
over
there
to
try
to
get
them
to
start
showing
up
to
this
meeting
and
then
also,
if
you
have
someone
who's
already
working
the
token
access.
I
J
Yeah
I
I
think
I
with
respect
to
tokens.
I
would
say
like
the
more
hands
we
have
on
the
deck
that
definitely
helps
because
yeah,
it's
it's
I,
I,
don't
think.
There's
any
official
way
for
us
to.
You
know
ask
for
a
higher
rate
limit,
so
yeah
the
more
people
we
have
asking
for
it.
That
definitely
helps
with
respect
to
like
the
implementation,
and
you
know
getting
the
support
fully
up
and
running.
J
I
I
would
recommend
talking
to
raghav
call
who's,
one
of
the
maintainers,
so
he'll
be
implementing
some
of
these
checks
and
making
sure
the
framework
and,
like
you
know,
the
basic
support
is
running
and
yeah
like
if
there
are
specific
checks
on
gitlab
that
we
aren't
supporting
in
our
v0
and
that
you
would,
you
know,
want
to
see
support
for
it.
I
think
we
should
have
like
deeper
discussions.
There.
A
A
H
Us
both
up
Jeremy,
we
could
there's
nothing
saying
we
we
have
to
just
do
one
in
advance.