►
From YouTube: Scorecards Biweekly Sync (March 23, 2023)
A
B
C
Hi
I'm
namita-
and
this
is
my
first
time
attending
this
meeting-
I've
been
part
of
like
the
best
practice.
I
mean
I've,
been
attending
the
best
practices,
working
group
and
yep.
It's
my
first
time
here
and
I.
Look
forward
to
you
know
see
where
this
goes.
I
mean
I'm
just
trying
to
understand
how
this
works
for
now.
D
A
A
E
B
A
G
I
I
can
go
first
and
I
can
provide
a
general
update
on
what
we've
been
doing
at
step
security
so
for
context.
Dev
security
is
an
open
core
startup
and
our
focus
is
on
providing
remediations
for
scorecard
checks,
and
currently
we
offer
four
remediation.
So
the
idea
is
that
we
want
open
source
communities
and
developers
to
basically
improve
their
scorecard
score
with
ease
through
automation
and
so
on
that
front.
Last
week
we
met
with
node.js
security
working
group
and,
as
as
you
may
know,
they
are
there
right
now.
G
G
And
sorry
I,
and
we
saw
that
there
are
discussions
around
s-bomb
and
YDC
and
I
believe
those
are
not.
Those
have
not
been
added
as
new
checks
in
scorecard,
but
this
is
something
you
know
that
we
are
also
interested
in
exploring
as
to
how
we
can
automatically
enable
these
features.
On
behalf
of
on
behalf
of
the
developer
and
one
thing
that
we
that
we
plan
to
do
in
the
near
future
is
we
will
be
adding
a
remediation
step
for
code
owners
file,
which
I
believe
is
required
for
the
branch
production
test.
G
Because
for
branch
protection
you
need
elevated
access,
but
depending
upon
the
repository
and
who
has
contributed
in
the
Givens
folder,
we
are
planning
to
introduce
the
remediation
to
automatically
create
code
owner
files
and
I.
Would
love
to
you
know,
get
any
any
feedback
you
may
have,
or
you
know
anything
in
particular,
we
should
be
focusing
on
I
just
wanted
to
provide
a
general
General
update
to
the
community.
E
I
have
a
question
yeah,
so
if
you,
if
you're
seeing
the
code
owners
file,
I
again
I'm
sure
asking
this
question
because
I'm
being
I'm
trying
to
understand
just
because
I've
done
about
10
comments,
what
is
your
parameters
to
pick?
Somebody
as
a
code
owner
to
your
part
of
me
tries
like
I
could
just
be
contributing,
wouldn't
want
to
become
a
committer
or
any
of
that
we
thought
of
that,
especially
when
you
generalize
and
different
organizations
have
different
size
to
say.
E
G
Have
yeah
that's
a
great
question
and
we
are
very
early
into
our
design,
but
the
idea
is
that
we
want
to
provide
an
easy
to
use
interface,
and
you
know
one
thing
we
could
do
is
we
could
take
a
look
at
the
repository
and
then
figure
out
who's
actually
approving
these
PRS
or
who's.
Creating
these
comments
and
sort
of
you
know
provide
an
easy
way
to
project
maintenance
to
select.
G
You
know
like
a
list
of
users
who
should
be
part
of
a
code
owner's
file
and
I
agree
with
you
know,
like
different
organizations
and
different
open
source
communities
have
different
requirements,
and
that
is
something
that
we
need
to
figure
out.
But
once
we
have,
you
know
like
more
concrete
details
on
the
implementation.
I
would
love
to
come
back
and
and
get
more
feedback,
but.
E
A
E
The
reason
like
the
reason,
I
don't
bump
these
cool
color
action
immediately
is
the
same
reason.
Things
break.
You
just
want
to
wait
at
least
two
three
weeks
for
people
to
start
consuming
and
then
probably
it
could
weak
on
that
note
spin.
So
we
could
probably
release
release
it
to
a
main
branch
and
test
the
main
branch
in
scorecard,
at
least
as
a
beta
before
we
I.
Don't
because
if
you
don't
release
the
action,
it
should
not
be
a
problem.
F
H
H
There's
some
connections
that
I
I
think
will
be
good
to
have
will
be
kind
of
trying
to
invite
more
people
to
the
meeting.
Different
ospos
were
interested
and
we
got
a
chance
to
just
talk
with
maintainers
more
directly,
so,
basically
a
talk.
We
will
plan
to
do
again,
we'll
be
we'll
be
having
a
similar
talk
at
RSA
next
month,
but
Naveen.
If
you
want
to
add
anything
to
that,
was
that
was
just
a
very
high
level
kind
of
overview.
E
Absolutely
there's
one
other
thing
that
I
want
to
add
is.
This
is
not
a
very
large
vendor
driven
conference
for
that
we
had
a
probably
about
35
people
in
the
room
30
to
35
people,
which
was
good
for
not
a
very
large
conference
at
that
too.
This
was
that
5
p.m
or
5
p.m.
On
a
Saturday
evening,
we
have
about
35
people.
I
I
had
one
item:
I
was
gonna,
bring
up
iPod,
so
I
showed
a
little
late.
You
know
with
the
work
that's
been
happening
on
gitlab
support.
What
is
an
appropriate
time
to
try
to
bring
gitlab
into
this
discussion?
Be
it
either
because
you
want
to
have
you
know
a
token
with
a
higher
rate
limit
on
it
or
because
we
want
to
engage
by
getting
them
to
maybe
include
scorecard,
as
some
of
their
default.
Ci
templates
I'm
happy
to
try
to
push
that
to
happen.
I
I
just
don't
want
to
jump
the
gun
before
maybe
hook
skill.
It's
at
that
point
to
start
that
discussion
I
think
it's
always
good
to
Prime
the
discussion,
so
they
know
that's
happening
and
then
maybe
they're
interested
in
jumping
into
and
helping,
but
I
wanted
to
see
what
U.S
maintainers
feel
it's
appropriate.
J
So
I
can
speak
to
that.
So
we
are
starting
to.
We
are
starting
off
with
like
a
small
list
of
git
lab
repos
and
like
starting
to
analyze
that
similar
to
what
we
did
with
GitHub,
and
you
know
having
this
available
on
depths.dev
I
know
there
is
a
parallel
discussion
happening
between
gitlab
and
openssf
about
getting
a
API
token,
which
is
not
something
I'm
directly
involved
in,
but
yeah
that
that
might
be
a
pretty
helpful
thing
to
get
from
gitlab
to
kind
of
scale.
J
This
up,
so
yeah
I
mean
I
I.
Think
I
can
the
tldr
here
is
that
we
have
a
few
checks.
That
kind
of
you
know
map
one
to
one
parity
with
with
respect
to
GitHub
and
that
those
will
be
the
checks
we
are
going
to
start
out
with,
and
that
should
be
available
on
desktop
Dev
soon,
but
there
might
be
checks
that
we
don't
have
parity
on.
J
I
J
Yeah
I
I
think
I
with
respect
to
tokens.
I
would
say
like
the
more
hands
we
have
on
the
deck
that
definitely
helps
because
yeah,
it's
it's
I,
I,
don't
think.
There's
any
official
way
for
us
to.
You
know
ask
for
a
higher
rate
limit,
so
yeah
the
more
people
we
have
asking
for
it.
That
definitely
helps
with
respect
to
like
the
implementation,
and
you
know
getting
the
support
fully
up
and
running.
J
I
I
would
recommend
talking
to
raghav
call
who's,
one
of
the
maintainers,
so
he'll
be
implementing
some
of
these
checks
and
making
sure
the
framework
and,
like
you
know,
the
basic
support
is
running
and
yeah
like
if
there
are
specific
checks
on
gitlab
that
we
aren't
supporting
in
our
v0
and
that
you
would,
you
know,
want
to
see
support
for
it.
I
think
we
should
have
like
deeper
discussions.
There.