►
From YouTube: Scorecards Biweekly Sync (September 8, 2022)
A
A
A
B
D
D
Right
I,
just
just
so
that,
like
it's,
that's
that's
that's
why
we
wanna
so
the
project,
individual
updates,
essentially
just
say
hey.
These
are
things
that
are
happening
across
project
and
and
agenda
because
sometimes
we're
not
able
to
get
to
everything
and
we're
trying
to
be
cognizant
about
what
comes
in.
A
B
E
I
can
I
can
cover
so
azim,
myself,
Caroline
and
Arnold.
We
met
earlier
this
week
and
we
basically
talk
about
this.
How
we
bring
this
so
gauge
is
another
open
source
project
that
that
is
out
there
right
and
we
are
looking
into
identifying
the
opportunity
to
bring
some
features
together
and
I.
Think
azim
has
opened
one
issue.
Let
me
see
if
I
can
put
it
there,
so
we
discussed
so.
E
Yeah,
so
the
idea
essentially
is
to
whenever
we
have
any
releases.
We
need
to
know
whether
that
we
can
trust
that
release
and
yeah
I.
The
the
approach
we
are
trying
to
take
is
we
can
add
this
option
where
we
can
have
the
concept
of
commit
depth.
We
have
for
a
given
reference
coming.
You
can
go
back
to
the
number
of
comments
that
went
into
that
particular
release
and
we
run
the
scorecard
against
those
releases
and
we
measure
with
basically
the
give
some
scoring
to
that
particular
release.
E
D
My
feature
request
was
probably
about
two
three
meetings
before
to
add:
release
information
for
like
right:
okay
and
the
scorecard
has
an
API
right
now,
which
was
released
today
to
add
release
information
in
that.
So
essentially,
consumers
can
consume
the
scorecard
API
by
asking
hey
what
was
the
state
of
that
particular
release?
Version
of
that
repository?
That's
what
it
is
I'm
likely
going
to
pick
it
up
and
start
working
on
it,
but
I
just
want
to
make
sure
that
commit
depth
had
some
kind
of
that
had
some
bad
way
to
move
forward.
E
Okay,
yeah,
that
sounds
good
and
yeah
I
can
post
so
I
actually
gave
the
talk
on
this
gauge
in
open
source
Summit
earlier
this
year,
and
I
can
post
a
link
to
the
recording
there
and
yeah.
This
is
the
project
UFO
source
and
yeah.
The
idea,
essentially
with
cage,
was
to
measure
the
confidence
of
a
releases
instead
of
a
repositories
or,
in
addition
to
the
repository,
if
you
can
add
the
some
confidence
to
material
reviews
and
I
saw
I.
E
F
I
have
a
quick
question.
Yeah
so
so
commits
I
mean
the
the
commit
option
in
scorecard.
Right
now
doesn't
really
work
on
all
the
the
checks.
Is
this
okay
for
you
or
is
it
not?
Okay,
like
the
commit
option,
only
works
on
file
based
checks,
so
all
the
checks
that
don't
use
GitHub
apis
because
we
at
least
until
now
it's
been
difficult
to
look
at,
say
some
settings
in
the
past
because
there's
no
API
to
do
it.
E
Those
are
the
ones
that
we
measure
like
the
ones
that
are
like
immutable
records
like
who
has
been
reviewed
it
has
it
has
this
commitment
reviewed
by
someone
and
those
things
if
Bank
protection
was
on
at
that
time.
Yeah,
as
you
said,
that's
not
available.
So
whatever
information
is
available,
we
should
be
able
to
work
with
that.
Yeah.
E
Yeah
I
can
update
the
issue
so
the
the
way
we
did
it
is
we
added
a
few
additional
checks,
so
more
specifically
I
can
tell
you
so
for
given
commits
we
are
looking
into
the
number
of
contributors
right.
Are
these?
Those
commits
have
been
reviewed
and
is
the
contributor
same
as
the
reviewer
right?
In
some
cases
we
find
whoever
is
committing
is
the
same.
Who
is
upcoming,
which
is
which
is
a
red
flag
right,
so
that
checks
are
added.
E
D
Oh
sorry,
sorry
about
that
I
just
wanted
to
say
scorecard
where
Bob
is
being
fast
with
OSS
files.
Right
now
just
want
to
provide
that
as
an
update
that
eating
our
own
dog
food
to
make
sure
we
are
doing
our
stuff,
not
not,
obviously,
not
every
code
path,
that's
being
fast,
but
only
some
of
them
just
want
to
give
that
as
an
update
and
also
I.
D
D
D
So
we
think
scorecard
is
a
good
candidate
for
this,
because
scorecard
is
utilizing.
Six
stores,
recore
and
follicio
for
as
part
of
today's
release,
so
would
would
request
people
to
do
a
thumbs
up
so
that
the
scorecard
gets
a
fair
chance
to
compete
in
this
right
now.
No
one
else
is
so
it'll
be
nice.
That's
that's
the
second
thing
on
that.
D
B
D
Again,
this
is
not
my
release.
Does
that
there's
all
of
us
doing
work
getting
a
scorecard
badge
out
along
with
Avi,
along
with
security
scorecards,
that
there
we
have
a
website,
this
I'm
sure
most
of
people
who
are
there
in
this
robot.
This
meeting
are
aware
of
it.
It's
for
people
who
aren't
who
get
to
come
later,
get
to
see
what
what
we
have
done.
D
That's
the
update
on
this
and
it
does
and
you
and
again
we
have
an
API
right
now
we
haven't
rested
API
endpoint,
which
essentially
means
you
can
go
hit
that
and
ask
questions
and
not
have
to
not
have
to
jump
through
hoops
to
to
like
something
like
bigquery
to
go,
get
that
data,
so
those
are
good
stuff
on
the
new
stuff
that
has
come
out.
Thank
you
all
right.
That's
my
update!
David.
You
have
a
question.
A
A
G
Sure,
okay,
oh
okay,
I,
don't
know
that
okay.
So
what
happens,
though,
is
the
action
lets?
You
have
a
more
updated
badge
because
you
can
actually
have
that
score,
updated
on
every
comment.
Otherwise
you
are
always
having
the
still
data
that
that's
coming
from
the
crown
data,
which
might
be
a
recall.
A
Around
well,
the
the
reason
I
asked
is
I
was
thinking
about
proposing
that
we
move
that
instruction
about
how
to
make
your,
how
to
add
your
badge
up
earlier
in
the
readme
to
kind
of
focus
it,
but
so
I
I
did
some
testing
and
found
out
that
you
didn't
need.
You
actually
didn't
need
that
auction
for
it
to
work
so
and
I
was
confused.
All
right
now,
I
understand
why
it's
backing
off
to
the
to
the
crime
job,
which
is
not
a
crisis,
but.
D
D
A
G
Yeah
I
I
think
that
that
works,
I
I
guess
the
badge
was
like
an
incentive
where
providing
users
to
say:
hey,
please
install
the
action.
You
know
if
you
want
your
buys,
but
I
I
think
I,
agree,
I,
think
it's!
It's
also
beneficial
if
more
and
more
repositories
through
the
badge,
even
if
they
don't
have
yet.
F
A
G
Yeah
I
think
that
was
the
initial
plan,
but
what
I
realized
is
the
minute
badges
went,
live
a
whole
bunch
of
people
started,
adding
it
I
I
have
no
clue
where
the
where
they
even
got
the
link
from
but
like
tensorflow
started,
adding
it
flutter
started
adding
it
even
though
they
were
not
using
the
action
directly.
So
so
I
just
let
it.
F
A
B
D
Yep
so
I'm
bringing
this
as
a
request
that
I
want
one
community
and
the
and
the
maintainer
start
on
this,
because
right
now,
every
time
like
I
want
them
like,
which
is
mentioned
in
the
in
the
issue,
is
like
salsa:
has
its
own
block
six
store
I'm,
trying
to
copy
what
other
popular
open
source
supply
chain
security
projects
have
having
a
Blog
for
own
scorecard
itself?
What
what
we
already
have
as
a
website
right
now
helps
us
to
provide
some
updates
instead
of
it's
right
now.
D
We
are
posting
it
on
on
open
SF,
but
open
ssf
also
does
not
want
some
technical
blocks
because
they
want
it
to
be,
if
I'm
not
wrong,
so
and
also
getting
our
customers
who
are
using
it,
giving
them
an
opportunity
to
come
and
talk
about
it.
Those
are
my
thought
process.
I
want
one
others
to
answer.
That's
on
a
path
right
now,.
G
Sorry
I
I
think
before
getting
to
the
blog
thing.
Maybe
David
I
actually
have
a
question
for
you
before
answering
the
blog
thing.
So
I
wanted
to
understand
if
the
open
the
LF
had
Clarity
on,
like
the
use
of
netlify
I,
think
some
of
these
things
around,
like
you
know
what
what
can
we
add
to
the
existing
site
like
if
you
can
add
more
blocks,
may
depend
on
like
our
usage
of
netify,
so
want
to
understand?
Is
that
still
a
blocker,
or
are
we
good
to
go
I.
A
I,
don't
I
don't
know
of
any
particular
policy
that
would
prevent
blocking
having
a
blog
post
specific,
a
scorecard
as
long
as
it's
identified
as
a
scorecard
blog
to
differentiate
from
the
other
blogs.
Obviously,
salsa
does
that
already
there's
some
other
folks
who
do
that
also
so
I
guess
the
main
thing
would
be.
Is
it
worth
it
because
having
a
place
where
you
post
blogs,
is
isn't
helpful
unless
somebody's
willing
to
write
them.
D
If
you
don't
have
a
my
counter,
argument
is,
if
you
don't
have
a
place
to
write
like
I,
want
to
write
something
I'm
going
to
ask
like
like
people
right
now
like
we
just
having
a
control
argument.
Not
that,
for
you
are
the
the
Pi
Pi
team
is
using
that
I'm
like
great.
They
are
tweeting
about
it,
they're
putting
on
slack
I'm
like
let's
write
it
up
so
that
people
are
aware
of
it.
So
somebody
else
can
come
and
read
that.
A
G
A
D
D
A
E
A
C
Yeah
actually
I
wanted
to
bring
up.
You
know
a
couple
of
things
related
to
this
one
is
that,
does
it
actually
make
sense
to
have
these
blogs?
You
know,
get
posted
to
the
open,
ssf
blog,
because
you
know
someone
who
is
subscribing
to
these
blogs
for
them.
It's
sort
of
hard
to
you
know
subscribe
to
like
now,
three
of
them,
one
for
six
store,
one
for
salsa
and
then
one
first
scorecard
when
there's
sort
of
trying
to
actually
get
information
about
the
same
sort
of
general
area.
C
You
know
so
that
was
one
idea.
I
mean
any
other.
In
fact,
related
topic
is
whether
School
culture
also
have
a
Twitter
account.
You
know
where,
for
example,
when
some
some
project
uses
scorecard,
you
know,
then
one
can
sort
of
congratulate
them
upon
it.
You
know
maybe
increase
in
score
or
something
which,
which
will
actually
probably
drive
more
adoption.
D
The
open
ssf
has
certain
policies,
I
do
remember,
Brian
and
open
SF
on
one
of
the
blog
on
one
of
the
one
of
the
comments
on
what
needs
to
come
in
you're
gonna
have
to
be
wrong,
saying
this
is
too
technical.
We
wanted
to
not
be
not
be
too
technical
about
it
like
if
we
had
to
get
into
nuts
and
bolts
or
something.
Unless,
if
that
policy
changes
and
if
open
ssf
is
like
hey,
we
don't
mind
like
then
then
I
I,
then
then
we
don't
need
this
block.
A
D
A
A
A
D
Okay,
if
if
people
are
okay
with
that,
then
does
anybody
have
an
issue
of
scorecard
having
a
Twitter
account,
because
that
should
not
be.
That
should
not
cause
any
problem.
So
that
is
a
good
thought
for
us.
Is
that
Watford
mentioned?
Obviously
that
helps
so
people
don't
have
any.
Then
we
can
move
that
David.
If
you
have
10
notes,
can
you
add
that.
A
D
A
Exists
if
you're
not
following
it,
the
small
again,
it's
not
really
any
different.
It's
the
same
issue,
in
fact,
because
now
you
gotta
find
the
url
one
of
the
advantages
of
the
blogs
is
that
you
can
cross
Crosslink
easily,
but
you
want
to
tweet.
If
you
want
a
Twitter
account,
I
think
we
need
to
do
is
raise
it
up
to
operations.
Sure.
D
E
D
My
unless
somebody
says
we
don't
need
that
Anything
Grows
takes
time
to
grow
a
year
before
scorecard
was
in
in
the
states
right
now,
but
but
the
but
I'm
sure.
My
argument
to
that
is.
We
should
try
and
do
that
and
we'll
see
whether
it
is
successful
or
not.
It's
not
going
to
cause
any
harm.
Let's
put
it
that
way:
okay,
fair
enough.
D
D
I
want
to
bring
this
app.
Our
code
coverage
metrics
have
been
going
down
in
these
last
six
months.
I
took
that
I
had
the
coverage
metrics,
which
was
58,
and
it
is
around
42
percent
right
now
that
16
percent
drop
that
becomes
it
becomes
an
issue
with
liability
and
especially
becomes
also
becomes
a
problem
of
new
contributors
coming
in
hey.
How
do
I
have
confidence
to
do
any
patches,
so
my
strong
suggestion
is
to
enforce
this
and
force
code
coverage
in
rprs
so
that
we
don't
keep
following
them.
A
I'm,
hoping
by
the
way,
I
I,
don't
know
if
it
works
on
your
Tech
stack,
but
for
us
on
the
best
practices
badge
we
require
that
it
never
go
down.
If
you
make
a
commit,
it
fails
if
you're
com,
if
your
coverage
goes
percent,
goes
down
yep,
we
do
have
an
option
and
you're
not
adding
at
least
enough
tests
for
that
code.
It
won't
get
accepted.
F
D
Don't
know
I,
don't
know
to
be
honest,
I
don't
know,
but
I've
been
I've
been
tracking.
This,
like
I'm,
like
oh,
my
gosh,
it's
like
we
have
a
badge
on
top
of
our
readme,
which
is
constantly
going
down,
which
is
on
our
face
to
say
it's
going
down
and
I'm
like
okay.
We
need
to
do
something
about
this,
probably
there's
a
big
there's,
probably
a
big
code
base
that
came
in
that
didn't
I,
don't
know
to
be
honest
on
that.
D
C
D
D
D
G
Sorry
I
I
was
just
asking
I
think
we
had
this
discussion
before
and
the
reason
we
didn't
enable
it
is
it's
a.
It
can
cause
a
lot
of
false
positives,
like
people
may
just
be
touching
the
code
and
not
adding
any
new
logic
and
a
good
couple
complaint
saying
that
hey
Douglas
dropped.
So
is
there
a
setting
to
say
you
know
some
threshold
to
avoid
these
false
positives?
To
say,
like
only
if
you
go
below
five
percent
coverage
in
a
single
PR,
then
we
block
you
or
something
of.
D
D
D
D
D
Yeah,
it
is
the
unit
test,
it's
not
about
the
end
unit.
That's
unfortunate
yep
to
answer
azim's
question
on
this.
Specifically,
we
can
I
built
this
tool
for
six
or
six
two
which
had
a
similar
problem,
but
then
they
wanted
as
you
scroll
down
on
that,
like
we
don't
have
to
go
into
that.
Somebody
asked
that
specific
question
can
I
have
like.
We
don't
want
to
fail
for
it.
This
essentially
says
I
want
certain
tweaks,
essentially
saying
Hey
I
want
coverage
for
this
package.
D
Being
this
I
like
packet
within
the
package,
I
wanted
to
be
for
an
existing
sub
packages
to
be
whatever
percentage
it
needs
to
be.
There
should
be
an
option
to
override
and
what
like,
what
azee
mentioned,
this
can
I.
If
it's
37
it
can
go
down
by
one
percent.
It
could
essentially
allow
it
to
go
down
by
one
person
so-
and
this
is
there's
no
rocket
science,
it's
just
a
simple
tool:
parsing
the
Json
file
out
and
doing
certain
tweaks,
which
will
specifically
solve
our
problem
of
this-
is
another
option.
D
Let's
say
this
is
the
option,
but
could
curve
does
not
provide
an
option,
at
least
as
far
as
I
know,
that
my
head
hey?
If
it's
goes
down
by
half
a
person,
it's
fine,
but
if
it
goes
down
by
two
person,
it's
not
you
should
fail.
I
can
try
and
check
if
that
option
is
there,
but
we
need
to
do
something
about
it.
D
D
D
A
D
D
B
D
D
D
A
D
So
specifically
like
like,
if
you
go
to
the
pr
like
like
with
the
code,
if
you
go
back
to
the
code
per
se
or
specifically
showcase
you
don't
have
side
by
side
or
until
like.
Oh
you
all
these
are
new
files.
So
all
these
are
new
files.
We
don't
know.
What's
usually
it
reports,
the
coverage,
Matrix
I,
don't
know
yes,
so
it
clearly
says
hey.
This
line
of
code
is
not
cloud
cover
which
specifically
calls
out
what
is
covered
and
what
does
not
covered.
Okay.
B
D
My
like
I
mentioned
my
suggestion
is
that
we
turn
this
feature
on
it's
going
to
be
pain,
but
if
you
want
to
grow
our
community,
we
need
tests
only
the
test,
we're
going
to
have
more
new
contributors
coming
into
this
project,
and
it's
going
to
take
time.
But
it's
going
to
give
them
a
lot
of
confidence
of
any
PR
that
they
do.
You
don't
have
to
know
everything
all
the
moving
Parts
within
scorecard.
A
I
love
the
idea
of
requiring
not
reducing
the
amount
of
test
coverage
for
something
to
be
pulled
in
I.
Don't
think
we
need
to
wait
for
that.
I
think
it
would
be
good
to
double
check
that
the
end-to-end
tests
are
getting
included,
because,
if
they're
not
then
I
think
the
numbers
are
a
little
misleading.
Absolutely.
D
D
B
But
it's
kind
of
a
double-edged
sword
where,
if
you
have
a
contributor
that
might
be
willing
to
write
a
like
a
future
update
and
then
not
willing
to
write
the
test
for
it,
we
could
lose
that
contributor,
for
example,
correct,
or
you
know
someone
else,
steps
in
to
finish
a
PR
but
I
I
do
like
I'm,
not
sure
just
catering
to
them
is
worth
it
yes
or
no
inspiring
that
whatever
they're
contributing
isn't
being
tested.
Yeah.
D
G
So,
if
I
think
like
reliability
or
maintainability
is
the
issue
should
we
just
have
it
I
mean
you
could
just
have
like
a
more
cultural
change
in
our
code
review,
which
says
that
you
know
if
you're,
adding
extra
logic,
that's
really
expected
to
write
this,
which
also
allows
us
to
you
know,
maybe
be
a
little
easier
on
new,
first-time
contributors
or
outside
contributors.
But
if
it's
a
major
change
by
maintainer,
we
can
explicitly
require
that
they
write
it,
which
seems
like
more
reasonable
than
relying
on
like
arbitrary
numbers.
I
think
yeah.
G
C
Actually
I
had
a
similar
point
that
you,
instead
of
enforcing
it,
you
could
probably
like
just
add
a
point
to
the
pr
template
which
says
that
you
know
I
have
added
checks,
because
sometimes
what
happens
is
that
you
know
I
might
change
a
line
of
code
and
there
were
no
existing
tests
for
it.
And
then
you
know
two
weeks
make
me
do
then
write
the
whole
set
of
tests
for
something
becomes
a
bit
so
like
doing
it
on
a
Case
by
cases
case
basis
by
knowing
the
data
right.
C
D
What
do
you
think
is
absolutely
right:
I'm,
not
I'm,
not
disagreeing
to
it.
We
already
have
that
option.
We
already
have
that
option
in
our
PR.
Have
a
checkbox.
Do
you
do
you
have
test
cover?
Let
me
let
me
talk
about
myself.
I,
don't
like
I,
am
lazy,
sometimes
to
make
sure
what
is
the
coverage,
what
it
is
and
I'm
like
I
upload,
the
pr
so
I
can
talk
for
myself.
I
can't
talk
for
others.
I
can
talk
for
myself
and
that's
why
we
have
from
58
to
42
right
now.
D
D
Oh
we're
going
down,
I
didn't
mean
failing,
but
we
are
going
down.
I
want
to
avoid
that
from
short-term
perspective,
with
respective
risk
and
also
long-term
perspective,
with
respect
to
having
you
new
people
come
and
contribute
have
confidence
as
to
kind
of
do
a
patch
and
be
confident
that
nothing
will
break
or
the
chances
are
lesser.
D
A
D
That's
what
I?
That's
that's
a
route
I
wanted
to
assume
right
now.
Azim,
Lauren
and
I
have
option
to
turn
off
that
setting
and
more
something
in
that.
But
that
means
that
somebody
has
to
explicitly
go
turn
that
off
merge
that
in
and
then
go
turn
it
on.
So,
let's
that
being
an
option
that
we
still
have
an
override
option,
but
it's
a
little
bit
jump
through
hoops.
But
let's
do
that.
A
D
C
B
A
Group,
yes,
and
then
this
won't
I,
don't
think
this
will
take
too
long,
but
I
mean
people
want
to
ask
questions.
I
I
am
here.
So
basically,
chaos
is
another
Foundation
kind
of
a
sister
to
open,
ssf
and
so
on.
Their
overall
task
is
they're,
trying
to
identify
and
really
narrow
it
nail
down
very
specific
metrics
definitions
so
that
you
know
in
theory
everybody
knows
exactly
what
a
particular
metric
means
and
and
that
sort
of
stuff
the
chaos
has
a
specific
subgroup
called
the
risk.
A
So
the
lead
of
that
particular
group
is
Sean
Goggins
and
it
seems
to
me,
like
you
know
it
would
be
good
for
these
two
groups
to
talk
to
each
other,
so
I
have
so
Sean.
Sean,
Goggins
and
I
talked
he'd
like
to
show
up
at
the
next
Gathering
and
just
briefly
explain:
here's
the
metrics,
we've
kind
of
defined
here's.
The
thing
kind
of
things
are
working
on.
A
Because
I'll
be
I,
have
a
I
have
a
conflict
myself,
so
if
I
can
I'll
be
there,
but
if
not
I,
you
know
I'm
I
I
think
it's
always
good
to
have
different
groups.
Talk
to
each
other,
you'll
probably
find
out
something
from
somebody
else.
It's
at
least
somebody
leaves
better
off
than
when
they
started.
So.
Thank
you,
foreign.
H
Have
a
question:
I
shouldn't
be
quite
easy:
I
would
ask
for
a
future
in
scar
card
with
the
working
group
identify
security
threat.
We
are
working
on
a
specification,
a
yaml
file
that
would
like
to
aggregate
a
lot
of
information
related
to
security
like
where
is
the
security.md
or
the
policy
or
the
contact
or
other
information
that
can
be
related
like
spawn
file
and
similar.
H
That
sometimes
are
not
so
standard
and
it
can
be
helpful
for
a
lot
of
people,
maintainer,
developer,
community
and
also
a
packet
manager
and
so
on,
and
we
have
now
the
schema.
So
the
schema
is
ready,
but
it
will
be
great
to
integrate
it
in
the
scorecard,
so
the
scorecard
could
be
able
to
read
it
also
to
reduce,
maybe
false
positive
that
we
have
had
in
the
past.
H
So
initially,
this
specification
was
born
to
help
some
open
source
project
that
receive
a
low
result
in
the
scorecard,
because
the
scorecard
was
not
able
to
match
some
file
that
they
have,
but
in
a
different
pattern
out
and
that
I
use
a
path.
I
think
so
I
cannot
benefit.
Sorry
I
can
open
an
issue
where
I
explain
the
project
and
maybe
we
can
discuss
how
it
could
be
implemented
or
at
least
test,
because
it
could
be
help,
I
think
or
a
lot
of
hands.
G
So
to
clarify:
is
this
the
security
insights
project
that
you
are
talking
about?
Yes,
Etc,
all
right,
so
I
I
think
we've
had
this
discussion
in
the
past
around
you
know:
heading
checks
which
consume
security,
insights
data,
our
our
biggest
concern
has
been
around
like
trust
and
reliability,
in
the
sense
that
it's
basically
since
scorecard
today
is
pretty
opiniated.
Where
we
say:
hey
we've
checked
the.
This
is
what
GitHub
API
returns
and
based
on
that
we
are.
G
We
are
telling
you
know
how
the
code
reviews
have
happened
and
things
like
that
I
think
there
is
some
risk
here
of,
like
you
know
not
like
malicious
risk,
but
there
is
risk
of
like
developers
adding
any
kind
of
data
and
we
would
be
relying
on
it.
That
is
not
to
say
that
this
is
something
that
we
are
opposed
to.
G
I
I
think
scorecard
is
trying
to
move
in
this
direction
where
we
kind
of
want
to
be
kind
of
almost
unopenated
and,
like
you
know,
let
users
who
are
consuming
scorecard
make
their
decisions.
I
I,
don't
think
they're
there
yet
but
I
guess
when
we
do
reach
there.
This
might
be
a
good
discussion
to
have,
but
given
the
state
in
which
scorecard
is
today,
I
I
feel
like
it
might
be
a
little
hard
to
like
you
know
say
that
this
should
be
a
separate
check
in
scorecard.
H
Okay,
yes
I
understand,
but
this
in
the
security
inside
project
at
third
model.
That
explained
these.
The
risk
of
false
data
is
low
because
it
doesn't
mean
that
the
score
card
cannot
check
the
GitHub
API.
But
this
means
that
in
the
future,
because
her
card
could
check
also
order
Apple
based
on
Justin
Gita
bread
and
not
all
the
open
source
is
based
on
GitHub.
So
maybe
something
that
can
help
it's
like
security.10d.
H
The
scorecard
can
check
if
it
exists,
but
it's
not
so
different
to
check
all
the
URL
I
mean
if
I
have
the
security.txt,
I
and
I
link
it.
Instead
of
having
the
security.md
I
mean
it's
the
same
for
I
started
want
to
contact
the
maintainer,
but
for
the
security
scorecard,
you
are
saying
that
the
project
don't
have
a
security
policy,
but
maybe
it's
not
true.
F
Since
you
have
data
about
false
positive
and
negatives,
why
don't
we
use
all
your
insights
and
improve
scorecard
to
make
it
look
at
the
right
places
that
people
might
have?
For
example,
the
I?
Don't
know
these
security.md
I'm
just
wondering
whether
security
inside
dojamo
is
an
additional
burden
on
Developers?
Maybe
some
will
use
it.
I,
don't
know.
Maybe
some
old
but
I'm
just
wondering
whether
if
you
have
the
data,
could
we
use
these
insights
to
improve
scorecard
instead
of
putting
the
burden
on
Developers.
H
H
The
reason
why
I
think
it
can
help
the
scorecard
and
in
general
people,
is
that
at
the
moment,
if
you
have,
for
example,
if
you
are
a
foundation,
you
have
a
lot
of
rapper.
Maybe
you
don't
want
to
update
every
policy
every
time,
because
maybe
you
have
the
security.md.
You
want
just
to
have
a
single
policy,
maybe
on
a
website
and
then
link
it
to
the
to
the
to
the
repo
or
where
you
prefer
and
in
addition,
Gita
buffer.
H
The
security
page
is
very
nice,
but
other
service,
like
bitbucket
and
git
lab,
could
offer
a
different
approach
or
just
a
report
that
are
not
on
GitHub
and
if
the
goal
is
to
help
to
improve
or
add
to
the
developer
and
Community
to
make
decision.
According
to
the
data,
the
security
inside
cannot
because
it
is
a
file
that
you
can
more
or
less
analyze
using
a
tool
because
it
is
a
yaml
and
it's
not.
It
doesn't
depend
by
the
platform,
especially.
F
So
I
didn't
yeah
I,
totally
understand
what
you
mean.
I
didn't
fully
understand
so
on
GitHub.
If
Apache
Foundation
was
in
GitHub,
maybe
they're
not
they
can
just
put
one
dot
MD
in
the
org
and
it
can
point
to
their
website.
So
that
would
work
on
on
other
platforms
like
I
think
you
said
bitbucket
they
don't
have
this.
Does
that
mean
that
every
developer
is
going
to
have
to
create
that.yaml,
and
is
that
not
the
same
as
just
creating
it
with
me
with
a
link
to
it.
H
If
you
check
now
on,
usually
attack
Marvin
a
Pi
Pi,
and
there
are
a
lot
of
rock
and
Link
or
outdated
link,
because
there
is
not
a
easy
standard
to
maintain
this
with
this
file.
Also,
for
example,
directly,
the
packet
manager
can
check
if
the
information
match,
for
example,
it's
not
just
for
the
security
scorecard,
it
is
for
the
community
and
it
should
be
a
way
to
read
and
collect
information
easily.
H
Also
when
the
project
don't
follow.
Maybe
the
correct
specification
of
standard
and
another
example
is
this
bomb
file
at
the
moment,
a
lot
of
projects
exists,
a
lot
of
open
source
project
related
to
spam,
but
there
is
not
a
there,
isn't
a
sort
of
standard
or
best
practice
where
you
should
put
the
the
small
file
or
how
we
should
format
this
bomb
file.
We
want
to
have
a
spawn
file.
The
community
and
the
projects
are
tried
to
add
more
information
already
to
third-party
packages,
but
at
the
moment
we
don't
have
a
clear
standard.
F
H
Okay,
yes,
of
course,
no
I
can
open
an
issue
and
I
can
try
to
explain.
I
can
add
all
the
link.
I
mean
open
an
issue
to
ask
the
feature,
of
course,
but
I
can
also
add
all
the
information
about
security
insights.
So
we
can
talk.
Maybe
scorecard
don't
need
to
use
all
the
information
for
sure
if
you
can
write
information
for
the
API.
Of
course
you
can
drop
from
the
the
file,
but
there
are
maybe
other
information
that
can
can
be
helpful.
H
For
example,
if
a
project
have
or
not
have
a
back
Bounty
program
or
something
similar,
and
that
can
be
interesting
for
for
the
community,
at
least
for
the
independent
security
researcher
community.
So
it's
not
just
for
the
maintainer
the
developer.
It
should
be
some
a
standard
that
should
help
different
people
or
I
mean.
D
Yeah:
okay,
one
thing
like
what
to
to
what
azim
and
Lauren
mentioned:
is
people
can
game?
This
like
I?
Can
I
can
be
a
bad
actor?
All
of
a
sudden
scorecard
will
start
producing
good
results,
which
is
which
just
becomes
hard
I
think
we
also
talked
about
this
veterans
scorecard,
providing
two
kinds
of
scores.
Essentially
one
scorecards
without
using
these
insights
tool
and
one
is
with
insights
tool
that
could
be
another
option,
but
for
that
we
need
infrastructure.
D
H
I
agree:
that's
the
score,
can
use
or
not
use
the
it
could
be
an
optional
file.
It
could
be.
The
scorecard
can
decide
just
to
not
count
the
information,
but
just
provide
the
information.
Sometimes
it
can
be
helpful
and
so
how
the
score
can
can
use.
The
file
can
be
defined,
of
course,
in
a
discussion
in
an
open
discussion.
I.
H
Don't
think
that
I'm
saying
that
I
I
don't
want
to
say
that
the
scorecard
should
trust
to
every
information
in
the
file,
but
some
information
can
be
trusted
just
because
they
are
not
different
how
the
scorecard
work
now.
So,
if
we
Discover
card
check,
not
the
content
of
a
policy,
but
just
if
the
policy
exists,
this
file
can
help
to
mitigate
the
false
positive.
H
After
a
long
time,
I
mean,
for
example,
security.txt
seems
to
be
popular,
but
at
the
same
time
it's
not
so
popular
because
in
the
top
of
5
000
website,
less
than
25
percent
have
it
and
we
consider
it
popular.
So
this
kind
of
approach
and
specification
for
sure
required
time
so
scorecard
can
be
a
good
way
to
give
visibility
to
a
file
that
have
information
that
the
community
needs,
sometimes
a
basic
information,
just
maybe
the
domain
to
the
project
or
the
email
contact
for
the
maintainer.
H
That
requires
all
how
to
report
the
security
issue.
A
lot
of
big
projects,
don't
have
a
security
dot
MD
or
they
have
it,
but
in
a
different
place
and
having
an
easy
way
to
collect
aggregate
this
information,
because
security
Insight
could
be
used
by
all
the
scanners
of
the
best,
just
by
scorecard
to
provide
well-ordered
data
that
at
the
moment
we
haven't
I
I
mean
from
that
perspective.
I
think
that
it
can
help
so
scorecard.
Can
we
can
decide
how
scorecard
can
use
it.
H
But
if
we
add
the
support
to
scorecard,
it
is
a
good
way
also
to
show
to
the
community
how
Security
Site
can
work
and
why
it
can
be
helpful.
I,
don't
think
that
the
security
card
is,
can
be
the
only
tool
that
can
use
this
file
to
collect
information.
I
think,
especially
that
other
I
think
to
backend
manager
can
use
this
file
to
maintain
information
updated
because
if
the
security
Insight
is
directly
in
the
report,
I
can
trust
it.
If
I
have
already
the
packages
linked
to
a
particular
weapon.
H
I
can
trust
also
to
the
security
inside,
because
I
am
linking
the
two,
the
the
project
on
the
packet
manager,
so
the
package
and
the
source
code.
So
there
is
no
reason
for
a
packet
manager
to
not
trust
to
the
file
in
the
security
inside
and
at
the
same
time
it
if
I
mean
probably
it
is
the
best
way
to
maintain
the
data
updated.
There
are
a
lot
of
Pi
Pi,
Project
and
Marvin
projects
that
have
a
lot
of
contact
or
website
that
are
not
updated.