►
From YouTube: Scorecards Biweekly Sync (October 6, 2022)
A
A
A
I
guess
not
so
I
don't
see
a
lot
of
items
which
are
not
done
by
Naveen.
So
while
we
wait
for
Naveen
to
folks
have
anything
that
you
want
to
discuss,
Caroline
syrup
I
see
you
guys
are
there
I
know.
Last
week
we
were
never
got
to
discuss
the
IBM
and
the
release
commit
issue.
So
maybe
should
we
take
the
time
to
discuss
that
now.
B
I
apologize
I
completely
forgot
about
I
thought.
It
was
at
4pm
I
apologize
for
starting
late.
A
So
while
we
waited
for
you,
we
just
got
started
yeah,
so
I
know
there
are
two
items
that
you
added
Naveen,
so
I
had
just
posed
a
question
to
Carolyn
and
sort
of
if
they
want
to
discuss
the
release
issue.
While
we
waited
this.
C
Is
Caroline,
so
I
have
been
taking
a
look
at
the
commit
apps
haven't
gotten
too
far
yet,
but
just
been
using
that
as
an
excuse
to
like
get
familiar
with
the
code.
So
I'll
probably
message
you
on
the
team
on
slack
with
any
specific
questions,
I
or
others.
Working
with
me
have.
A
B
Sure
perfect,
okay
I
will
take
over.
Can
you
guys
look
at
my
screen?
I
just
want
to
make
sure
you
guys
can
see
my
screen.
Okay
screen.
B
B
Okay,
a
couple
of
one
of
the
I
don't
know
azim.
Did
you
talk
about
the
the
scorecard?
They
have
return
account
that
has
come
up.
B
Waiting
for
you,
perfect,
okay,
so
open
ssaf,
officially
created
a
scorecard
underscore
debt
to
draw
account
they
this
appear
specifically
for
us,
because
we
were
discussing
about
whether
to
create
a
blog
or
a
Twitter
account,
and
it
happened
to
be.
This
happened
to
be
easier.
B
B
Our
release
notes,
aren't
human
readable
they
this,
like
here's
an
example
of
something
it
comes
up
like
this,
so
this
is
good
that
we're
adding
the
pr
title,
but
for
for
we
have
a
section
for
release
nodes
within
the
pr
that
most
of
them
every
time,
everybody's
filling
that
in
and
the
issue
right
now
is.
We
are
not
pulling
that
content
out
to
publish
in
the
release
notes.
B
One
of
the
reasons
we
brought
this
up
is
because
Stephen
brought
this
up.
He
gave
up
the
template.
I
just
want
to
bring
this
up
saying:
there's
a
tool
in
kubernetes
That's
supposed
to
help
with
this
I
am
not
aware
of
it.
That's
why
I
was
I
pinged
Stephen
to
that.
If
we
can
get
some
traction
on
that
and
that's
one
thing
that
I
had
as
an
issue.
B
If
Stephen,
okay,
first
of
all,
do
we
do,
we
have
consensus
that
our
release
notes
should
be
up
until
then
it's
done
for
now
could
be,
could
be.
Could
we
take
the
pr
titles
and
from
the
from
that
and
put
it
on
our
release,
notes.
B
A
Oh
I
I
see
yeah
I
I.
Think
that's
that's!.
A
Well
great
I
I
believe
that's
what
I
asked
Stephen
knighted
for,
but
yeah
I'm
not
super
sure
how
the
automation,
Works,
I'm
I
know
there
are
a
bunch
of
different
tools:
I
added
one
which
I've
seen
a
bunch
of
people
use
yeah.
E
B
Oh
yeah,
so
so
at
least,
if
I'm
I
went
back
and
looked
at
the
kubernetes
repo
wherein
they
wrote
a
tool
for
release
which
will
pass
the
release.
Note
template
section
and
go
generate
that
probably
look
at
a
couple
of
tools
either
this
or
the
other
one,
but
but
it
doesn't
for
me
when
I
had
to
read,
read
the
release
notes
it
does
not
come
out.
Well,
specifically,
I
saw
this
in
the
in
these
scorecards
Dev.
B
Whenever
we
see
this
like
like,
if
we
go
click
any
of
these
things
it
comes
up
with
this
becomes
makes
it
harder
to
know
what
has
changed
unless,
if
you
are
tracking
everything
within
the
project,
it's
really
hard
to
know
what
has
changed
as
a
general
overview.
That's
my
thought
process
behind
brain
opening.
This
up.
A
Yeah
I
mean
I
think
we
need
someone
who
has
some
knowledge
here
at
I,
I
was
hoping
I
think
Stephen
has
kind
of
volunteered
to
be
the
release.
B
A
I
think
we
should
like
follow
up
with
them.
I
know
he's
been
busy
recently
but
yeah.
Maybe
you
should
follow
up
with
him
and
I
think
it's
been.
This
has
been
pending
for
a
while,
but
at
the
same
time
I'm
not
sure
if
anyone
here
as
far
as
I
know,
I
I,
don't
think
we
have
the
knowledge
of
the
tools
to
figure
out
how
these
things
can
be
automated
well,
so
yeah.
Maybe
we
should
ask
for
Steven
to
be
involved
here.
Yeah.
B
And
that's
why
I
think
Stephen
and
this
at
least
on
the
ticket,
so
that
we
can
have
some
traction
on
that
we
probably
if
I,
if
we
don't
hear
from
them,
we'll
also
I,
will
also
email
to
him
just
so
that
we
have
some
update
on
that.
Okay,
no
one
else
asked
any
comment.
David
you
want
to
go.
Take
the
next
one.
B
A
A
I
we
we
talked
about
it
in
the
last
meeting
at
this
same
meeting.
The
last
incident
yeah
I
think
that
reasonably
doable
right,
I
I,
don't
see
an
issue
in
doing
that.
I
just
I'm,
not
sure
what
all
we
might
break,
but
I
I
think
it
should
be
fine
to
3D
print
it,
and
there
are
anyone.
D
B
D
A
Yeah
I
think
maybe
that
should
be
doable
I.
So
Naveen
to
your
point,
I
I
guess
David
is
talking
about
the
API
on
the.
B
On
that
note,
I'm
going
to
ask
something:
I
see
my
room
I
at
least
you
send
out
an
email
and
about
getting
some
help
with
the
UI.
Did
you
get
any
feedback
on
that
the
scene
so.
B
I
was
thinking
that
we
should
go
because
having
a
UI
is
critical
for
consumers.
From
my
perspective,
why
not
go
ask
open
ssf
funding
for
somebody
to
do
this
like
get
an
UI
Dev
to
help
with
this?
Do
we
do
we?
What
what
are
people's
opinion
on
that.
A
A
I
mean
if
we
have
like
a
bigger
chunk
of
work,
which
is
UI,
related
I,
think
it
might
be
worth
considering
it,
but
I
as
far
as
I
know,
I,
don't
think
we
have
that
work
right
now.
This
seems
like
someone
with
the
knowledge
can
fix
it
with
like
a
single
PR.
So
I'm
not
sure
if
it's.
B
A
A
Yeah
so
yeah
I
think
the
work
that
Naveen
is
talking
about
that
that's
and
go,
which
is
in
the
scorecard
API.
F
B
Yes,
so
it's
Varun
you're
right,
we
can
just
we
got
to
figure
out.
Hey
now
do
and
we
want
the
UI
to
be
consistent
with
what
the
what
the
scorecard
scorecards
website
should
be
is
is
because
the
then
it
should
be
seamless
because
then
the
UI
should
be
similar.
B
B
Perfect,
yes,
do
you
know
somebody
can
help
with
this
a
single
page
with
the
same
thing,
I.
F
B
A
public
repository
I
can
I
can
share
that
with
you.
Varun.
B
Okay,
the
next
item:
Catalin,
do
you
wanna.
C
So
sure
yeah,
so
this
one
is
about
hacktoberfest,
so
I
just
found
out
about
hacktoberfest,
it
seems
pretty
interesting
seems
like
it's
good
exposure
to
get
people
familiar
with
the
project
and
to
tackle
some
of
the
smaller
issues,
so
I
think
for
the
project
itself.
It's
pretty
easy
to
add
yourself
as
being
involved
by
like
adding
tags
to
the
project
into
specific
issues.
You
think
it
would
be
good
and
ones
you
think
people
would
be
able
to
accomplish
within
the
month
of
October.
So
just
an
idea
I
want
to
throw
it
out
there.
B
I
I
concur.
One
of
the
things
for
hacktoberfest
is
the
contributors
supporting
with
enough
able
to
create
specific
issues
and
able
to
help
people
navigate
through
stuff
to
complete
that's
the
goal.
If
we
have
a
consensus
among
the
contributors
to
say
hey,
we
can
dedicated
time
for
doing
this.
It's
a
great
idea.
C
Yeah
and
it
looks
like
there's
like
around
20
good
first
issues,
so
we
could
probably
tag
those
also
with
hacktoberfest
as
well.
A
But
yeah
I
was
distracted.
What's
the
question.
B
B
B
A
Sure
I
I
just
want
to
clarify
is
this:
is
this
something
like
I
I'm,
not
sure?
What's
the
process
for,
like
you
know
getting
involved
here?
Is
it
like?
Just
tagging
is
enough
or
like
you
know,
is
there
like.
B
B
B
Right,
the
hectoberfest
is
a
is
run
by
I,
don't
know
which
specific
organization,
but
we
can
go.
We
as
a
maintainers
can
go
say,
hey.
Here's
here
is
our
repository
and
who
will
finish,
gets
their
PRS
merged
in
the
the
hacktoberfest
pulls
that
information
gives
them
some
kind
of
gaffe.
It
could
be
t-shirt,
something
like
that.
I've
once
got
a
t-shirt.
That's
the
information
on
that
I'm,
more
Applause.
Right
now.
Let
Jeff
answer
something
Jeff,
you
want
to
say
something.
E
Yeah
I
guess
I
have
the
same
question
is
Caroline?
Do
you
know
what
the
what
it'll
take
from
from
scorecard
side
to
to
participate
if
we
do
just
Mark
all
the
good
first
issues
with
the
appropriate
tag
is
that
is
that
it
and
then
just
you
know
to
see
what
see
what
people
contribute
there
or
is
there
more
effort
involved.
C
That's
the
gist
of
it.
I
sent
a
link
in
the
in
the
zoom
chat,
but
it's
tagging
that
she's
themselves
I'm
also
tagging
the
project
with
hacktoberfest.
C
So
that
way,
when
you
go
from
the
site,
they
have
a
link
that
links
to
all
hacktoberfest
related
projects
and
so
it'll.
Just
get
added
to
that
list.
C
E
Sure
yeah,
it
looks
like
they
have
a
summary
there
in
the
maintainer
section
on
the
bottom
of
that
page,
it
looks
I
think
we
have.
We
have
a
contributing
MD
good
first
issues
should
be
well
defined,
scope
and
self-contained.
We
have
code
of
conduct
for
open,
ssf,
I,
think
yep.
B
E
Do
and
then
just
be
ready
to
review
poll.
Merge
requests
accepting
those
are
valid.
E
Yeah
good
I
was
just
going
to
say
with
rewards
like
t-shirts,
people
are
going
to
send
just
Spam
PR's,
so
just
having
the
capacity
to
deal
with
this.
B
I
I,
my
my
two
cents
would
be:
let's
try
it
out,
there's
been
PR's,
then
you'll
see
again
whether
it
works
or
not.
I
agree.
Do
you
want
to
say
something?
Please.
A
Yeah
I
mean
again,
like
I,
have
no
issues
but
given
similar
concerns
that
Spencer
raised
right,
I,
I
think
if
we,
if
there's
at
least
one
person
who
says
that
you
know
I,
can
like
kind
of
lead
this
I
or
own.
This
I
I
think
that
would
be
easy,
because
yeah
I
I
think
that
it
is
easier
to
do
it.
That
way,
rather
than
you
know,
everyone
kind
of
half
participating
without
knowing
who's
actually
responsible
for
this.
A
So
if
anyone's
willing
to
volunteer
and
say
that
you
know
they
are
going
to
lead
it
to
the
end-to-end
procedure
and
like
make
sure
the
peers
are
getting
worse
and
things
like
that,
if
anyone's
willing
to
own
it,
not
to
say
that
we
won't
be
helping,
but
we
need
a
point
of
contact
to
say
that
you
know
who's.
Finally,
responsible
I
think
that
that
will
probably
increase
my
conference
and
I
have
to
be
doing
it.
A
Yeah,
like
just
my
understanding,
is
that
right
now,
scorecard
maintenance
have
their
plates
pretty
full,
so
yeah
I
think,
if
someone's
willing
to
step
up
very
happy
to
do
this.
B
E
B
C
A
Don't
think
being
a
dinner
is
neither
like
I
I
could
be
wrong,
but
yeah
I
mean
like
if
we
could
help
you
but
like
yeah,
we
need
someone
who
might
like
lead
the
effort,
but
I
I,
don't
think
being
a
maintainer
should
be
a
requirement
here.
Yeah.
E
Yeah,
just
I
I
have
a
little
bit
of
time.
Where
I
can
you
know
close
spam
issues
or
Point
people
in
the
right
direction?
I
just
don't
have
the
ability
to
actually
merge
the
pr
Zone.
B
But
we
should
be,
you
have
done
enough,
I
think
we
it's
time
that
we
add
this
in
assumed
you
I
want
to
go
ahead
and
add
M
to
be
the
maintainer.
So
a
lot
of
the
content
would
help.
E
A
We
may
just
keep
it
separate.
What
might
be
helpful
is
Spencer
if
you,
if
you
do
want
to
drive
this
I,
don't
know
it's
Carolyn
and
Spencer
I
know
Carolyn.
You
also
showed
some
interest
to
you.
A
Both
want
to
kind
of
drive
it
together
and
me
and
Naveen
can
you
know
pitch
in
and
like
actually,
if
you
need
actual
maintainer
access,
we
can
kind
of
help
you
out
there,
but
I
I
guess
you
guys
can,
like
you
know,
think
offline
over
slack
and
like
kind
of
let
us
know
if
you
actually
decide
to
take
this
off.
G
Oh
yes,
so
I
was
going
through
some
of
the
Miss
controls
in
our
audit
compliance
project
where
I'm,
working
and
and
thought.
If
we
could
map
our
scorecard
checks
to
map
to
what
the
controls
we
are
checking
and
mapping
to
which
is
supporting
index
controller
oauths
like
the
access
side
and
other
controls,
which
is
from
the
compliance
point
of
view,
so
that
could
give
you
more
exposure.
These
are
the
controls
we
are
from
the
top
we
are,
we
are
supporting
through
scorecard
and
future.
G
We
can
enhance
more
to
Encore
on
corporate
some,
more
controls
and
work
on
that
to
work
alarms
with
this
controller
or
was
based
Controls
Incorporated,
our
code.
B
So,
okay,
that
makes
sense
I'm
I'm
at
least
going
to
speak.
For
me,
I
am
not
aware
of
nistl
oras,
which
match
the
scorecard
checks.
Azim,
do
you
want
to
say
you
want
to
take
a
stand,
as
are
your
hands
race,
yeah.
A
A
I
mean
I
just
like
is
this
the
ssdf
one,
you
know
there's
also
the
one
around
security
and
privacy
control.
G
The
security
Pros
yeah
security
and
privacy
control,
so
it's
explained
in
nist,
8,
053
control,
families,
yeah.
A
I
think
that
that's
an
idea
that's
been
floated
around
so
I
I,
so
I
can
say
this
right,
so
I
I
think
that
is
a
pretty
good
direction
and
I
I
think
there
are
like
very,
very
initial
discussions
on
like
thinking
how
scorecard
can,
like
you
know,
adopt
something
like
that,
although
the
specific
document
that
you're
mentioning
which
is
the
nist
SP
853,
that
that
does
not
map
to
what
we
are
trying
to
solve
I
mean
we
can
take
some
inspiration
from
it
and
we
can,
like
you,
know,
try
to
see
how
scorecard
can
use
a
similar
framework,
but
I
I
think
it
is
difficult
to
map
to
an
existing
standard
because
as
far
as
I
know,
there
is
no
particular
framework
which
says:
here's
how
you
can
assess
an
open
source
security
like
it's
actually
an
open-ended
problem
that
no
one
has
solved
so
I,
don't
see
us
fitting
into
a
nist
or
like
an
OverWatch
standard,
but
I
do
think
we
might
take
some
Inspirations
of
like
you
know
how
these
standards
were
developed
and
like
kind
of
go
from
there.
G
That
makes
sense
yeah
some
some
weight
is
mapping
to
or
not
exactly
backup,
but
we
are
taking
the
inspiration
and
trying
to
achieve
the
compliance
and
security
aspect
of
those
area,
but
not
exactly
the
same,
but
somewhere
we
are
related
to
that's.
That
makes
sense.
Thank
you.
F
Yeah
I
just
wanted
to
mention
it.
I
had
seen
in
a
similar
issue
and
score
got
about
doing.
You
know
comparison
with
the
CIS
Benchmark
for
supply
chain
security,
so
that
yeah,
so
I
thought
that
was
sort
of
similar
to
this
yeah
Point
yeah.
B
B
A
Right
yeah,
I,
I,
think
I
would
I
would
question
against
like
what
exists
and
like
in
trying
to
map
what
scorecard
should
be
to
what
already
exists
right.
I
mean
I
I
do
think
the
problem
domain
we
are
trying
to
solve
is
is
actually
like.
No
one's
actually
is
trying
doing
something
exactly
that,
which
is
that
you're
taking
an
open
source
repository
and
trying
to
figure
out
what
are
the
different
threat
vectors?
A
What
are
the
different
security
controls
that
you
can
Harden
and
I
think
trying
to
fit
into
some
of
the
existing
ones?
Well,
like
pigeonhole
and
pigeonholers,
into
like
only
trying
to
solve
specific
problems,
so
yeah
I
just
want
to
question
against
going
down
that
route.
I
think
we
we
really
should
be
thinking
about.
How
do
we
extend
our
framework?
To
kind
of
you
know,
bring
out
that
that
new
thing
that
doesn't
exist.
F
I
think
I
mean
one
of
the
ways
to
extend
is
just
just
to
do
a
comparison
with
others
right
otherwise
like
otherwise,
it's
like
not
not
using
or
learning
from
what
others
are
doing
and
I
mean,
given
a
GitHub
repository
in
GitHub
actions,
a
lot
of
the
stuff
which
is
written
in
the
GitHub
actions
hardening
guide
will
anyways
apply
like
token
permission,
spinning
dependencies,
all
all
that
stuff
is
also
in
the
gitum
actions.
F
Hardening
guide
like
one
of
the
examples
which
is
which
I
see
is
not
in
scorecard,
is
you
know
about
rotating
GitHub
action
secret,
so
that
is
best
practice
in
the
guitar
Action
Security
guide,
it's
not
something
that
is
done
by
scorecard,
so
simply
by
comparing
it
sort
of
gives
ideas
about.
You
know.
Should
this
be
there
or
not?
It's
not
that
we
have
to
implement
all
of
it
more
about.
You
know,
thought
exercise
or
whether
it
should
be
there
versus
not.
A
Yeah
I
think
that
sounds
very
I
mean
like
I
said.
We
are
like
deriving
our
inspiration
from
various
points,
so
yeah
like
the
GitHub
security.
Sorry,
the
get
the
accents
hardening
might
be
another
place
that
we
should
probably
look
at.
If
you
don't
mind,
I
I
think
saurabh
has
added
link
to
the
oasp
and
the
SP
800
thing.
If
you
could
add
a
link
to
that
too,
that
would
be
great
yeah.
B
Perfect
Varun
looks
like
next
is
your
issue,
or
at
least
your
topic
about
two
three
one,
eight.
F
Yeah
so
this
you
know
this
one
is
about
thinking
about
more
options
for
the
sasd
tools,
also
right
now
scorecard
checks
for
code
qlgtm
and
sonar
and
there's
an
issue
that
LG
team
is
going
away,
and
you
know
this
thing
is
more
about
discussing
whether
there
should
be
more
tools
which
are
added
and
when
I've
put
some
sort
of
things
to
consider.
So
one
is
about
language,
specific
tools,
so
there
are
certain
tools
like
goseek
and
Bandit,
which
are
language
specific
and
the
other
one
is
just
about
pricing.
F
You
know,
so
these
these
results
also
show
up
in
private
repos.
If
someone
runs
it
in
a
private
repo.
So
having
options
which
are
you
know,
free
or
open
source
might
also
help
there
and
then
there's
this
specialized
purpose,
so
this
I've
actually
taken
from
the
CIS
Benchmark
for
supply
chain
security.
F
So
one
of
them
is
about
scanning
for
secrets
in
code,
and
so
what
what
that
says
that
you
should
have
some
sort
of
scanner
that
is
looking
for
secrets
and
code,
and
then
there
are
a
set
of
other
scanners
I
just
wanted
to
bring
this
up
to.
F
You
know
to
discuss
if
there
should
be
more
options
for
sasd
tools.
B
I'm
going
to
take
a
stab
initially
on
this,
there
is
there's
a
PR
that
Laurent
wrote
this
a
while
back.
There
is
a
made
it
made
some
large
refactoring,
which
involved
bringing
this
in.
Do
you
know
what
happened
to
this
PR.
A
Yeah
I'm
not
sure
I,
think
Laurent
has
just
been
busy.
I
I,
don't
think
he's
had
time
to
get
back
to
it,
but
yeah
I
know
this
is
like
updating.
The
SAS
check
is
is
a
pending
issue.
We've
had
for
a
while
now
yeah.
B
And
it's
Varun
if
at
least
from,
if
my
memory
sells
right,
it's
not
like
we
at
least
what
learned
in
this
large
PR
is
trying
to
do,
is
not
just
adding
additional
string
checks,
doing
it
much
more
better
to
make
sure
things
are
handy
scoring
and
all
those
things
that's
a
it's
a
large,
not
a
extremely
large,
but
a
medium-sized
PR.
Trying
to
do
this
if
I'm
not
wrong.
B
And
coming
back
to
your
specific
question:
where
did
the
stand
especially
on
this?
Where
does
the
stand.
B
We
can
try
and
ask
if
Lauren
can
work
on
that.
If
someone
else
wants
to
pick
it
up
and
work
on,
I
know,
at
least
from
my
perspective,
would
you
mention
this
at
least
most
of
the
things
at
least
I
concur
on
I,
don't
know
whether
licensing
is
something
that,
but
that's
that's
another
topic,
but
at
least
adding
additional
tools
will
certainly
be
helpful.
F
Foreign
dependency
review
action
I've
seen
a
lot
of
a
lot
of
projects.
I
think
even
scorecard
is
probably
using
that
you
know
so,
which,
which
is
for
vulnerabilities
in
open
source
packages.
B
So
is
your
thing:
hey?
Are
we
checking
like
like
code
ql?
Can
we
add
this
check
for
dependencies
review
action?
Is
that
okay,
the
one
critical
problem
or
I'm
going
to
step
back
and
talk
about?
This
is
not
a
problem
now,
if
we
add
these
additional
stuff,
then
our
coding,
our
scoring,
should
not
affect
we
need
to
figure
out.
How
do
we
add?
B
How
do
we
change
scoring
for
that,
because
by
adding
new
stuff,
if
you
bring
down
somebody's
score
down
they're
like
and
if
not,
we
need
to
pin
to
a
specific
version
and
then
we
need
to
have
Alpha
Beta.
Those
were
I
I
brought
in
dependency,
review
action
to
be
added
to
to
to
the
sasd
tools,
and
that's
when
we
discuss
about
this,
so
those
are
the
not
just
doing
these
checks
but
but
which,
in
turn
affect
the
scoring.
Those
are
the
problems
that
we
still
haven't
discussed
about.
F
Yeah
I
think
you
know,
like
I,
think
that
in
the
future,
they'll
definitely
be
changes
that
will
affect
the
score.
So
it's
better
to
have
some
sort
of
a
process
around
it
that
you
know
the
next
three
months.
Something
is
coming
out
and
you
know,
if
you
do
this.
D
Or
just
a
version
number
if
I
may
be
so
bold,
I
I
think
it
would
be
a
terrible
mistake
to
force
things
so
that
there
can
never
be
improvements.
I
mean
there's.
A
D
Whole
lot
of
things
there's
a
vast
number
of
things
that
scorecards
doesn't
currently
measure
so
I
I
think
that
it
will
be
important
to
not
freeze
things
just
where
it
is
today
absolutely,
and
that
implies
that
scores
will
change,
and
that
implies
that
you
know
most
people
probably
just
want
hey.
What's
the
current
score
and
they
don't
need
to
know
the
version
number,
but
they
need
to
know
if
the
version
number
of
scorecards
that
was
used,
then
you
know
make
it
make
it
possible
to
find
that
information.
B
I'm
going
to
take
a
stab
again
say
this:
we
probably
need
a
framework
like
to
say
hey
these
additional
new
checks
are
alpha
or
beta,
or
something
like
that
and
which
will
and
almost
call
it
as
a
breaking
release.
Change
between
like
four
and
five
and
five
you're
gonna
have
these
enabled,
which
is
three
months
from
now.
Something
like
that.
D
Okay,
but
under
semver
I
wouldn't
call
this
a
breaking
change.
I
mean
your
score,
went
up,
went
down,
but
if
it
was
something
like
you
changed
the
Json
format,
so
that
the
keywords
were
no
longer
useful.
You
know
that
I
think
would
be
a
breaking
change.
Adding
a
new
measure
should
not
be
a
breaking
change.
Now
you
have
more
information
than
you
did
before
the
score.
I
mean.
If
you
want
to
claim
that
the
the
score
may
be
different.
D
You
can
argue
it's
more
accurate
now
and
more
you're
trying
to
provide
hey,
what's
a
risk
level
and
you
are
trying
to
move
towards
increased
accuracy.
The
score
is
also
going
to
change
just
from
tweaks
in
the
tool.
You
know
new
ways
to
identify
things
like
you
know
it
currently
doesn't
handle
Circle
CI.
D
B
D
Well,
yeah
I
would
make
if
there's
a
minor
or
a
patch,
but
the
the
breaking
changes.
You
know
and
really
you
want
to
avoid
breaking
changes.
For
example,
I've
complained
earlier
that
the
badge
application
is
called
CII.
It
hasn't
been
CII
for
a
while,
but
you
know
what
you
could
add
a
new
name
and
then
add
it
and
keep
the
old
name.
D
If
you
know
to
keep
it
not
breaking
and
then,
when
you
remove
the
old
name,
make
that
a
breaking
chain
or
whatever
I
will
quickly
observe
that
the
best
practices
badge
which
has
this
as
a
challenge.
D
We
handle
this
slightly
differently
and
you
can
decide
whether
or
not
you
like
this
or
not,
but
whenever
we
propose
adding
new
measures,
we
add
them,
but
we
identify
them
as
what's
called
future
and
future
criteria
are,
you
know
their
criteria
are
described,
they
are
measured,
they
just
don't
count
to
the
score
and
when
you
switch
them
to
counting
to
the
score,
that's
when
the
future
marking
is
removed,
you
don't
have
to
do
it
that
way,
but
I
mean
I.
I.
E
B
And
also
like
I
mentioned,
the
other
point
about
release
notes
now,
specifically
having
release
note:
hey
the
things
are
going
to
affect
the
score
would
specifically
help
people
hey
what
change
and
helping
them
in
the
minor
or
or
any
other
may
not
be
major
or
minor
or
revision
could
specifically
help.
Somebody
understand
why
what
happened.
E
B
F
B
You're,
probably
right
and
we
should
look
at-
we
should
ask
at
least
look
at
this.
What
what
oh?
But
what
do
you
like,
like,
there's,
always
going
to
be
new
tools,
we're
going
to
identify
like
my
two
cents?
Again
we're
going
to
be
go,
save
Bandit,
there's
somebody
there's
another
tool,
that's
going
to
come
up!
We
as
long
as
we
have
the
framework
in
to
add
these
things.
B
F
But
should
there
be
some
sort
of
decision
framework
around
okay
should
should
this
tool
be
added
versus
not
added
or.
B
Like,
for
example,
there's
somebody
there's
an
PR
that
came
in
for
adding
certain
type
left,
I
still
haven't
reviewed
that
and
we
still
haven't
at
least
had
a
major.
B
We
have,
at
least
in
the
past,
we've
been
able
to
add
tools
which
are
open
source
which
specifically
ads
security
to
the
life
cycle
of
the
project,
at
least
up
until
now,
we
have
not
said
no
to
anything
so
I,
don't
see
a
reason
why
we
would
want
to
say
no
to
unless
either
it's
an
open
source
have
different
licensing
or
if
it's
not
maintained.
Those
are
the
only
reasons
that
at
least
I
can
think
of
I'll.
Let
others
speak
okay,.
F
F
So
maybe
you
know
if
there's
gonna
be
like
a
decision
for
each
of
these
categories.
Whether
it
applies
to
or
you
know,
is
it
sort
of
in
scope
for
scorecard
or
not,
then
that
that
should
you
know,
help
decide
on.
For
example,
scanner
for
CI
pipeline
scorecard
already
has
checks
for
GitHub
items,
I'm,
not
sure
if
that's
really
anything
else
is
really
needed
or
not
that
I
actually
know
of
anything
else.
Scanners
for
IAC.
D
Well,
everything,
except
maybe
the
last
one
I
think
definitely
does
and
I
would
also
make
a
case
for
the
last
one.
I
mean,
what's
the
point
of
scorecard,
it's
not
really
to
make
a
random
number.
You
know
we
already
have
random
number
generators.
I
mean
the.
The
point
is
to
provide
a
number
to
help.
D
People
make
decisions
either
I'm
using
this,
but
maybe
I,
shouldn't
or
I'm
thinking
about
using
this,
maybe
I
should
or
shouldn't
and
so
I
think
having
drilling
down
to
the
yes,
they
have
a
secret
scanner
or
not
is
appropriate
and,
more
importantly,
it
also
provides
information
to
the
projects.
I
mean
that's.
D
I
think
that
that's
legitimate
licensing
is
a
little
more
arguable.
I
I
grant.
You
I
will
note
that
it
is
within
the
scope
of
the
best
practices,
not
the
badge
this
time.
D
Although
the
battery
the
badge
does
require
that
this
Fire
Sticks
badge
and
the
best
practices
working
group
has
a
list
of
criteria
of
how
they
recommend
you
evaluate
open
source
software,
they
include
you
use
scorecards
to
get
some
information
and
they
do
include
licensing
under
the
assumption
that
if
you
can't
even
license
the
software
in
a
way
that
makes
it
legal
to
use,
maybe
you
know
you
know
you
don't
have
any
licenses.
You
know
maybe
you're
not
taking
care
of
the
store
for
security
either.
I.
Don't
think
that
that's
unreasonable.
B
F
So
in
this
case,
you
know,
I've
actually
listed
down
the
different
categories
of
scanners
from
The
Benchmark.
So
I'm,
not
really,
you
know
done
it
sort
of
deep
analysis
of
each
of
them,
but
I
don't
want
to
mention
that
scorecard
also
already
checks
if
there's
a
license
file
or
not
right.
This
is
this
is
about
I
think
this
is
about
checking
the
dependencies
and
what
are
the
licenses
or
the
dependencies,
and
if
one
of
those
licenses
is
restrictive,
then
the
license
that
the
you
know
something
around
that
sorts
foreign.
B
A
No
sorry
I
mean
please
finish
your
thought
out.
Yeah.
B
B
If
that's
the
only
reason,
I,
don't
know
what
value
probably
going
to
be.
That's
another
piece
of
code
that
we
have
to
maintain
it's
complex
enough
in
my
two
cents,
let
azim
say
what
he
wants
to
say.
A
One
thing
right,
so
I
I
think
scorecard
is
in
a
in
a
somewhat
of
a
unique
situation
where
we
don't
actually
run
like,
let's
say,
static
analysis,
or
we
actually
don't
lose
Cricket
secret
scanning,
but
rather
we
Point
people
to
tools
which
actually
do
stuff
right
so
I
it
that
puts
us
in
a
bit
of
a
tricky
spot,
because
sometimes
people
can
start
using
scorecard
as
like
a
marketing
platform
and
say:
hey
here's
my
tool,
so
you
know
why
don't
you
recommend
this
when
you're
recommending-
let's
say
LGT
I'm,
also
on
our
cube
right,
I
I,
think
we
need
to
figure
out.
A
What's
the
right
line
to
be
drawing
here
in
terms
of
like
what
licenses
do
we
recommend
and
stuff
like
that,
I
genuinely
think
it.
It
is
somewhat
of
a
involved
discussion,
but
yeah
I
I
do
want
to
just
question
that
there
is
one
extreme
where,
like
you
know,
if
you
start
recommend
recommending
every
tool
you
might
just
end
up,
you
know
recommending
all
sorts
like
people
might
just
come
to
you
and
say:
hey
here's,
my
new
Tool.
D
A
D
I
think
I
think
that's
a
misunderstanding
of
scorecards.
What
I
would
say
is
scorecards
is
incomplete.
It's
it's
got
bugs
one
of
the
bugs
is
it
doesn't
handle
all
tools?
Okay
or
you?
Can
you
don't
have
to
call
it
a
bug
called
incomplete,
but
you
know
it
currently
doesn't
detect
some
tools
in
some
situations.
Excellent,
please
help
us
fix
that.
D
You
know
it
doesn't
handle
get
lab.
That's
up!
You
know
you
that's
true.
Let's
you
know
if
somebody
wants
to
help,
add
support
for
get
lab
and
some
of
these
other
things.
That's
wonderful,
but
I
I
would
not
want
anybody
to
walk
away
and
saying
you
know:
scorecards
only
endorses
specific
tools
and
requires
you
know:
I
mean
if
a
tool
doesn't
do
a
job,
that's
fine,
but
other
than
that.
I
think
they
should
be
in
scope,
but
somebody's
got
to
show
up
be
willing
to
put
in
the
the
effort
to
add
the
detector.
A
So
I
I
think
here's
here's
the
question
right.
So
let's
say
the
SAS
check
is
a
pretty
good
example,
if
someone's
not
using
SAS
I.
Think
if
you
are
a
developer
and
said,
hey
I
want
to
pass
this
check.
The
first
thing
you
would
do
is
what
all
can
I
do,
or
what
steps
can
I
actually
take
to
pass
us
which
kind
of
implies
the
tools
that
scorecard
is
detecting?
Is
this
tools
that
scorecard
in.
D
A
D
I,
don't
think
that
I
think
that's
an
unwise
thing
to
claim,
in
fact,
after
a
certain
point
the
what
is
it
it's,
the
group
that
involves
you
know
in
you
know
was
it
basically,
there
there'll
probably
be
some
legal
claims
if
we
claim
Thou
shalt
use
x.
Why?
Because
that's
what
we
happen
to
implement
today,
I
I,
I
I,
don't
think
that
that's
the
right
message,
I,
really
don't
I,
think
it's
much
better
to
say
we're
looking
for
tools,
we
missed
that
one.
Let's
add
it
if
it's
relevant.
B
So
I've
learned:
do
you
want?
Do
you
have
anything
else
to
success
on
this
specifically
I
want
to
just
make
sure.
F
Hey
Maria
I,
can
you
know
separate
out
each
of
these
categories
and
and
maybe
list
them
down
and
I,
don't
know,
do
some
sort
of
further
discussion,
yeah
yeah,
the.
D
Open
ssf
tools,
working
group
actually
has
a
list
of
tool
types.
If
you
want
I,
can
I
can
hunt
that
down
and
add
that
to
the
just
to
somewhere
here
to
link
to
it.
Would
that.
D
I
mean,
of
course,
you
know,
there's
nothing,
there's
no
physical
law
that
says
that
these
are
the
only
tools
that
could
possibly
exist.
I
hope
you
appreciate,
you
know
it's.
Let's
see
here,
guide
to
developing
more
secure
software.
D
Yeah,
so
if
you
looked
at
the
guide
on
how
to
develop
secure
software,
it
links
to
the
guide
a
guide
to
security
tools
and
it
has
a
list
of
some
common
ones.
Please
don't
take
this
as
the
official
list
of
all
the
tools
that
could
possibly
exist.
Foreign.
D
D
So
that
doesn't
mean
that
you
that
I
I
don't
think
anyone
should
expect
that
you
detect
54
different
types
of
tools,
never
mind
the
hundreds
of
tools
that
actually
exist
right
now.
On
the
other
hand,
if
scorecards
does
this
detection,
it
means
you're
doing
something
valuable
you're
doing
something
different
than
everybody
else.
That's
a
good
thing.
B
Sorry
we
got
next
four
minutes.
I
want
to
make
sure
if
there's
any
other
issue
that
any
other
pressing
issue
that
we
want
to
discuss
about.
B
Okay,
great,
if
there's
nothing
else,.
G
Sorry
Naveen
I
have
one
two
zero
six
one
I
was
before
my
holidays.
I
was
working
that
PR
is
closed
and
you
had
commented
given
a
suggestion.
I
I
think
it
has
no
issue
on
that.
We
are
one
two
zero
six
one
as
I
need
your
help
in
that.
G
What
what
no
I
I
need
to
do
in
there,
because
that
is
closed.
G
B
B
That
yeah,
it's
something
and
it
was
in
it
wasn't
passing
again
on
my
memory
is
not
fresh
enough.
It
wasn't
passing
the
all
the
checks
and
and
I
think
once
for
that,
I'm
not
wrong,
sorry
and
and
and
because
it
wasn't,
the
bot
automatically
closes
that
if
there's
no
response,
if
there's
no
movement
on
the
pr,
you
should
be
able
to
reopen
the
pr
sorry.
G
B
G
And
another
question:
I
just
just
suggest
a
thought,
I
added
in
in
our
list,
so
for
the
bad
school
that
currently
can
be.
We
have
any
scope
of
opening
a
GitHub
issue
so
that
the
who
is
having
this
repo
and
some
developer
always
there
can
take
a
look.
What
have
the
less
score
bad
score
to
work
on
to
make
the
fix?
You
know
what
they
are
using.
B
Sorry,
I
don't
understand
that
question.
What
do
you
mean
by
bad
score,
sort
of
just
trying
to
understand
what
it
is
specifically,
let's.
G
Say
for,
for
example,
I
take
the
branch
protection
and
the
for
against
that
scorecard
gets
less
score
and
the
user
has
to
correct
those
permission
against
the
Branch
practice
so
be
up
to
the
mark.
B
I
think
that
this,
that
is,
that
is
at
least
right
now,
that
is
not
in
scope,
okay,
to
go,
create
issues
and
people
don't
want
to
be
spammed.
My
two
cents
sort
of
nobody
wants
to
be
spammed,
random
bot,
spamming
them,
saying
hey!
Yours
is
not
right,
and
and
that's
why
that
has
to
need
to
have
a
deeper
discussion.
G
B
Perfect,
thank
you.
We
are
close
to
the
r
I'll
have
to
pick
the
there
for
the
next.
Who
would
want
to
volunteer
to
be
the
facilitator?
It's
nothing,
but
sharing
a
screen
may
not
be
one
of
the
maintainers
I'm,
sorry
I'm,
trying
to
make
sure
webmaster
next.
What
the
next
to
it
is.
G
B
I'm
gonna
add
you
to
the
next
one:
it's
pretty
simple:
you
have
access
to
this
and
you
should
be
able
to
start
the
the
meeting
and,
like
anybody
can
join,
be
able
to
start
doing
this
great.
If
nothing
else
see
you
all
in
the
next
two
weeks.
Thank
you.