►
From YouTube: Scorecards Biweekly Sync (February 9, 2023)
C
So
I
think
Laurent
was
supposed
to
be
the
original
facilitator
and
is
out
on
travel
this
week.
So
if
anyone
else
wants
to
step
in
otherwise
I
can
always
fill
in
as
well.
C
All
right
I
should
have
the
agenda
up,
so
the
dock.
You
should
be
able
to
find
this
link
from
the
slack
Channel
I
can
put
a
link
of
it
in
the
Zoom
chat
as
well,
and
then,
if
you
don't
have
access
to
it,
there
is
a
Dev
group
that
you
should
join.
C
C
I
see
a
lot
of
you
guys
are
doing
that
already
and
then,
usually
we
start
off
by
going
through
the
attendees
and
for
anyone
that
might
be
new
or
welcome
them
to
introduce
themselves.
You
know
what
they're
here
for
kind
of
thing,
so
yeah
it
looks
like
Ian
has
already
added
his
name.
If
either
of
you
feel
like
just
a
quick
introduction,
you
don't
have
to
but
sure.
D
D
So
any
of
us
show
up:
let's,
let's
see
how
we
can
help
out
with
that,
a
little
bit
and
there's
some
other
stuff
we're
doing
around
Hopper
and
kind
of
augmenting
s
bombs,
but
specifically
we're
really
interested
in
that
good
lab
support
for
first
four
part.
D
E
Can
say:
hi
I'm,
Justin,
first
I'm
here
I
work
with
eBay
and
I'm
the
author
of
the
s-bomb
scorecard
project,
which.
C
C
Cool
well
barring
any
additional
introductions,
let's
start
with
project
updates
or
individual
updates,
where
these
are
usually
shorter
things
just
sort
of
for
awareness.
G
No
discussion,
yes,
so
for
All-Star
contributor
ladder
PR
still
open.
If
you
have
any
comments,
take
a
look
at
that
and
also
we've
had
a
few
external
contributors
submit
some
features
and
they've
been
asking
for
release
most
people
that
run
their
own
instance.
Just
build
from
head,
so
I
haven't
been
doing
releases
regularly,
so
I'm
gonna
do
a
really
soon,
because
somebody
asked
for
it
and
that's
it
for
for
updates.
C
All
right
thanks,
Jeff
I,
don't
think
there's
any
scorecard
ones
could
also
probably
do
a
release.
It's
been
a
while,
and
we
have
some
bug
fixes.
G
Yeah
so
basically
I'm
asking
this
group
first
of
all,
so
for
technical
infrastructure,
the
guidance
from
the
TAC
is
that
working
groups
are
free
to
use
whatever
resources
they
can
find
or
solicit
help
from
Member
organizations
or
to
request
funding
from
the
open
ssf
governing
board
to
the
TAC.
G
G
Yep
yeah
so
I'll
take
that
as
a
no
so
I've
raised
my
hand,
I
don't
know.
B
Yeah
I
see
hi
Bob,
yeah,
hey,
Jeff,
yeah
I
know,
Google
has
been
funding
it
we're
happy
to
continue
funding.
It
I
think
you
know.
Certainly
the
choices
here
is
now
wearing
my
attack
hat
and
not
necessarily
my
Google
hat
yeah.
You
know
it's
something
I
think
we
could
take
to
the
lfit
team
to
understand,
based
on
the
architecture,
whether
that's
something
that
they
could
to
help
support
without
the
need
for
additional
money
versus
yeah.
B
What
that
would
fundamentally
look
like
versus
like
keep
doing
what
we're
doing
and
just
make
sure
that,
like
again,
we
have
the
right
access
permissions
for
folks
in
the
community
and
figuring
that
that
model
out
I'm
I'm
wholly
supportive
of
you
know
making
sure
that
we
have
a
neutral
and
sustainable
solution
here.
So
I
guess
money
is
one
option
to
it,
but
there
may
be
other
options
that
that
might
not
involve
necessary
fundraising.
Even
though
it's
not
a
huge
amount
of.
G
G
G
So
it's
sensitive
and
it's
something
that
we
have
been
proclaiming
to
be
operated
by
the
community
and
the
open
ssf.
So
I
want
to
continue
to
uphold
that
that
claim
so.
I,
don't
I,
don't
know
what
the
timeline
is,
at
least
for
the
current
infrastructure.
If
that's
going
to
disappear
at
some
point,
so
hopefully
I
can
get
something
ready
as
soon
as
possible.
B
Got
it
so
so
you're
I
guess,
let
me
just
pair
back
what
I
heard
yeah,
so
your
intent
is
to
to
move
off
of
the
Google
infrastructure
as
soon
as
reasonably
possible.
Are
you
gated
by
I'm,
just
trying
to
make
sure
that
we
prioritize
this
this
aspect
of
the
attack
and
and
LF
accordingly,
but
that
so
your
desire
is
to
move
off
of
that
as
soon
as
possible.
B
A
B
A
G
A
This
conversation
yeah
the
way
I
understood
it
was
the
problem,
isn't
so
much
running
on
the
Google
infrastructure.
The
concern
was
a
a
kind
of
access
that
they
expressly
require.
That
I
I
think
Jeff
believes
is
not
necessarily
the
case
for
a
typical
user
of
a
cloud
service.
A
I,
Jeff
I'm,
putting
words
in
your
mouth.
Tell
me
if
I'm
wrong,
I'm,
just
trying
to
paraphrase
back
what
I
understood,
yeah.
G
So
the
current
infrastructure
is
running,
but
I've
been
given
a
request
that
it's
that
the
provider
has
access
to
the
data
which
I've
denied
so
I.
Don't
know.
If
that's
going
to
be
mean
that
that
infrastructure
is
going
to
be
pulled
and
when.
G
A
A
B
No
I
myself
as
well,
so
that's
I,
I,
think
part
of
the
part
of
the
challenge
here.
I
mean
I.
Think
again
from
my
perspective,
I
just
want
to
make
sure
that
you
don't
get
caught
up
in
a
unnecessary
fundraising
activity.
If
there
are
shorter
term
solutions
that
would
be
viable
that
give
you
what
you're
looking
for
right.
G
So
yeah,
if
there's
I
mean
this
is
what
I'm
asking
here.
If,
if
I
can,
if
somebody
in
this
group
can
provide
a
neutral
infrastructure,
I'd
be
happy
to
take
it
without
going
to
the
TAC,
and
if
that's
Google,
then
that'd
be
great,
it
would
just
need
to
be
without
the
stipulations
that
I've
been
told,
are
required.
For
that.
A
G
Specific
stipulation
is
a
so
in
Google
Cloud
for
sorry
for
those
there,
mostly
AWS
folks,
but
in
Google
Cloud
platform,
there's
a
project
and
then
there's
a
administrator
permissions
on
the
project,
which
means
you
have
access
to
everything,
and
the
stipulation
for
my
current
infrastructure
is
that
a
Google
engineer
must
be
a
administrator
on
the
project.
For
me
to
be
able
to
use
it.
A
Okay
and
you
think,
a
typical
gcp
instance,
or
another
instance
on
Azure
or
AWS
or
other
clouds.
That
would
not
typically
have
that
stipulation
absolutely.
B
B
Wearing
my
attack
hat
I
I
think
we
should.
We
can
certainly
open
a
ticket
with
openssf
Ops
and
explore
what
options
exist
within
the
it
framework,
I
think
of
its
own
Advantage
by
the
foundation.
That's
probably
the
cleanest
way,
because
you
may
be
kicking
the
can
down
the
road
if
another,
another
company
raise
their
hand
and
said
I'll
do
this,
but
there's
some
other
restriction
associated
with
it.
G
As
well
yeah
that
could
happen
so
yeah
any
any
request.
Any
request
here
or
like
any
anybody
who
provides
infrastructure
here,
would
it
would
need
to
be
neutral
so
yeah
I
agree
that
that
might
be
the
problem.
If,
if
somebody
provides
it
but
then
says
oh
well,
we
need
we
still
need
to
access
it
right.
B
A
And
let
me
just
quickly
speak
for
LF
in
general,
we
don't
own
computers
or
infrastructure,
we
we
pay
various
Services
Cloud
providers
and
so
on
to
provide
that.
A
So
so
it's
not
like
there's
an
LF
set
of
computers
sitting
around
somewhere
in
San
Francisco.
That
is
ready
to
do
the
running.
G
Now
I'll
open
the
issue
on
the
tech
and
with
the
funding
request.
Okay,.
A
C
All
right
Jeff
do
you
feel
like
this
has
been
discussed.
C
All
right
so
moving
on
someone
from
Lockheed
Martin
want
to
talk
about
adding
support
for
gitlab
I
know
we
have
some
openpr
right
now,
I
believe
raghav,
who
I'm
not
sure,
if
is
in
the
call,
has
been
working
on
trying
to
sort
of
get
that
PR
across
the
finish
line.
But
if
you
wanna
talk
to
it,
go
ahead.
D
Sure
so
again,
there's
three
of
us
from
Lockheed
on
the
call
here,
I
think
he's
getting
here.
It's
gonna
probably
be
doing
a
lot
of
work,
but
yeah
we're
just
kind
of
curious
where
to
get
started.
D
We
saw
the
issues
and
the
pr
that's
out
there
and
happy
to
kind
of
help,
get
it
across
the
Finish
Line
we're
using
it
with
a
sort
of
watch
that
we
have
called
topper
we're
going
in
open,
ssf,
scorecard
data
into
augmenting
s-bombs,
which
looks
like
a
great
topic
for
Justin
I'd
love
to
hear
what
you're
doing
so,
yeah
I
think
it's
it's
something
we're
happy
to
help
support,
because
I
think
everyone
benefits
from
the
added
brought
scorecard
data
from
gitlab.
C
I
haven't
read,
it'd,
be
great
to
get
support
for
both
git
lab,
and
you
know
just
augmenting,
because
scorecard
does
also
support
some
local
repo
analysis.
C
So
Laurent
one
of
the
maintainers
is
working
on
some
structured
results
and
trying
to
make
certain
checks
more
granular
and
more
data
driven
so
like,
instead
of
just
saying,
does
it
pass
the
license
check
sort
of
break
it
down
into
sub
components?
C
So
we've
discussed
that
in
some
previous
meetings
should
be
available
in
the
minutes.
But
one
thing
with
those
structured
results
is
that
it
might
enhance
our
ability
to
do
more
analysis
locally.
So
between
that
and
enhanced
gitlab
support,
it's
looking-
or
at
least
it
sounds
like
a
lot
of
impact.
A
This
is
really
just
a
request.
Back.
A
There
was
ever
early
on
trying
to
make
the
scorecard's
requirements
not
be
specific
to
get
Hub,
but
there's
always
the
risk
of
you
intend
to
do
something,
but
you
didn't
quite
accomplish
it.
So
I
would
beg
for
if
you've
got
feedback
on
the
criteria.
You
know
that
sort
of
thing
you
know
what's
missing
or
you
know
rewording
to
make
it
more
more
General,
I
I,
think
we'd,
be
loved,
we'd,
be
very,
very
interested
in
hearing
it.
A
What
the
the
scorecards
criteria?
Yes,
somebody
else
want
to
give
the
link,
because
I'm
trying
to
type
in
the
note
here
real
quick,
but
let's
see
here,
we
love
yeah.
So
give
me
a
moment:
I
will
get
I
will
put
in
the
link
once
I.
Do
that.
B
A
C
All
right,
yeah,
Jeremy
I,
think
that's
the
list.
Yeah.
C
So,
with
Laurent
structured
results,
it's
sort
of
being
split
where
Under,
the
Umbrella
of
say,
dangerous,
workflows
or
token
permissions.
There
might
be
a
GitHub
specific
check,
but
nothing
that
sort
of
prevents
a
gitlab
specific
check
as
well,
all
under
the
umbrella
of
the
token
permission,
ship,
okay,.
A
C
All
right,
so
it
sounds
like
that.
Action
item
is
just
to
have
the
discussion
in
the
issues,
which
is
what
I
heard
so
on
our
next
item.
Talking
about
s,
balance
corporate
project,
Justin.
E
Yeah
so
I
wrote
this
thing
called
the
spawn
scorecard.
It
scores
s-mobs
the.
E
I
think
having
an
s-bomb
is
an
important
part
of
an
open
source
project
and
contributes
to
some
of
the
security.
It's
it's
an
it's
an
it's
a
useful
input
into
security
organizations
as
such
I
think
a
criteria
on
the
scorecard
on
your
scorecard
should
be
hey.
E
Do
you
have
an
s-bomb
and
then
the
second
piece
is
that
you
can
have
one
and
they're
pretty
useless
and
so
like
you
can
have
a
valid
s-bomb
that
doesn't
list
your
dependencies
or
you
can
have
a
valid
s-bomb
that
doesn't
tell
you
the
version
of
the
dependency
that
you're
using
and
so
then
there's
a
there's,
a
subsequent
thing
which
is
like:
how
do
we
evaluate
the
quality
of
those
s-bombs
that
we
require?
E
Which
is
the
thing
that
my
project
attempts
to
do,
and
so
two
parts
have
suggest
people
deliver
s-bombs
and
then
second
make
sure
they're
of
high
quality
and
so
I'm
happy
to
I.
Think
someone
filed
an
issue
about
this
and
I
said.
I
would
be
happy
to
support
this
happening,
but
it's
not
entirely
clear
what
what
that
might
look
like
for
y'all,
and
so
I
am
here
to
have
that
discussion.
F
Yeah
I'd
be
I'd,
be
interested
in
this,
because
this
is
so
This
Jared
I
I
work
on
with
the
second
with
the
ex-working
group
industry,
working
group,
and
so
one
of
the
biggest
challenges.
Is
you
get
an
s
bomb
out
of
one
of
the
generated
tools
and
then
it's
missing
Shaw's,
it's
missing
hashes.
It
doesn't
tell
you
who
wrote
it
or
who
designed
it.
It's
missing
vulnerabilities.
F
It
doesn't
have
any
they're,
very
weak,
right,
they're,
very
lightweight,
so
the
quality
would
be
really
interesting
to
see
the
challenge
that
that
I'll
dive
into
this
but
understanding
you
know
how
are
you
pulling
it?
Are
you
pulling
it
from
Marine
Corps?
Are
you
pulling
it
from
archivists
or
you
know?
Is
it
you
got
a
point
at
a
repo
that
has
all
your
f-bombs?
You
know
that
I'll
check
that
out
later,
but
full
project.
C
Cool,
so
you
mentioned
an
issue
I
assume
the
issue
was
something
like
add
s-bomb
as
a
check.
E
The
issue
is
in
your
repository:
I
can
dig
up
the
URL,
but
it
it's
effectively.
Hey
y'all
should
use
s-bomb's
scorecard
as
part
of
your
thing
and
I
didn't
file
that
issue.
Someone
else
did
but
I'm
happy
to
support
that
happening.
A
Have
you
compared
this
to
the
US
government's
list
of
minimum
viable.
E
D
A
E
E
It
makes
sure
that
the
data
that
is
there
is
useful,
and
so,
if
you
say
you
depend
on
spring,
then
this
thing
will
say:
hey,
but
but
like
what
version
of
spring
right-
and
you
didn't
say
what
license
spring
was
and
your
s-bomb
file
is
not
even
syntactically
valid,
so
yeah,
it.
E
A
E
A
E
And
I
think
the
the
this
is
not
supported
yet,
but
the
intent
is
for
there
to
be
support
for
customized
rules
to
the
degree
that
someone
would
like
to
have
different
opinions
about
what's
required
and
what
sort
of
things
need
to
exist.
So.
C
Yeah,
that's
a
very
common
theme
that
a
scorecard
has
sort
of
been
noticing
is
that
people
have
very
opinionated
opinions
about
scorecard
as
well
like
which
checks
they
care
about,
and
there
should
be
an
issue
with
clo
monitor
or
something
like
that.
Where
you
know
more
and
more
people
are
just
having
this
sort
of
like
we
want
to
customize
how
we
I
don't
know
care
about
certain
things,
but
not
others
and
it'd
be
interesting
to
see
the
overlap
there.
E
Yeah,
there's
probably
some
scorecard
framework
that'll
exist
in
two
years
for
people
making
scorecards
for
to
support
these
sorts
of
things,
but
yeah
I
think
I.
Think
it's
a
question
of
like
building
a
scorecard
is
a
mechanism
by
which
we
can
influence
the
culture
and
the
direction
that
fits
our
agenda,
and
my
agenda
is
that
things
should
have
licenses
and
versions,
and
when
you
get
a
cve,
you
should
be
able
to
look
at
the
s-bomb
and
figure
out
if
you're
affected,
and
so
that's
what's
reflected
in
my
tool
in
the
similar
way.
E
E
C
So,
usually,
just
based
on
the
nature
of
the
meeting
I'm
trying
to
look
at
all
the
attendees
right
now
we're
missing
quite
a
few
maintainers
on
the
just
due
to
travel
and
parental
leave
and
stuff,
like
that.
So
I
think
the
best
would
be
for
sort
of
a
discussion
on
this
issue
that
I
added
to
the
notes
about
adding
support
for
the
s-bomb
scorecard.
C
So
Laurent
sounds
like
he's
on
board
and
I
I
think
it
aligns
with
what
sort
of
secure
best
practices
would
be
in
terms
of
software
supply
chain.
So
I.
Think
next
step
would
be
just
soliciting
comments
on
this
issue
and
sort
of
going
from
there.
Given
that
there's
some
conferences
and
maintainers
missing
right
now,.
E
Cool,
do
you
expect
that
to
happen
out,
do
I
need
to
attend
this
meeting
again
in
two
weeks
to
make
that
happen,
or
can
it
happen,
but
do
one
of
you
wanna
help
nudge,
developing
people.
C
Yeah
so
I
I,
think
sort
of
soliciting
for
a
comment
in
the
slack
is
good.
I
understand
that
in
the
issue,
though
I'm
pretty
sure
Laurent
said
bring
this
to
the
meeting,
and
then
people
just
happened
not
to
be
here
sort
of
thing,
but
usually
someone
has
an
issue.
They
bring
it
to
the
meeting.
It
didn't
immediately,
get
shot
down,
people
either
want
to
discuss
it
or
for
time
reasons
aren't
able
to
and
then
sort
of
discussion
flows
back
to
the
issue
anyway.
C
A
Yes,
I
guess:
does
anybody
have
any
strong
reservations,
given
what
they've
heard
so
far?
Maybe
you
know,
which
is
not
a
very
strong
straw
poll,
but
you
know
hopefully
at
least
gets
the
the
juice
is
Flowing
I
I,
don't
certainly
I
think
the
idea
of
encouraging
s-bombs
is
something
we're
trying
to
do
anyway.
So.
C
Yeah
and
I
agree
in
terms
of
sort
of
scoring
projects
on
best
practices
for
securing
the
supply
chain.
Having
an
s-bomb
is
obviously
up
there.
So
I
think
there's
some
discussion
to
be
had
people
are
discussing
about
either
binary
artifact
store
score
or
whether
this
is
its
own
check.
Sort
of
thing.
C
C
And
sort
of
that
format
you
described
Justin
where
it's
one
thing
to
have
in
a
spawn
and
then
it's
another
thing
to
have
a
valid
s-bomb,
where
you
know
there's
some
debate
about
what
valid
is,
but
that's
something
that
scorecard
checks
have
gone
through
before,
like
our
security
policy
used
to
be.
Does
it
have
a
security
policy?
It's
like
yes,
but
it
could
have
been
empty
sort
of
thing
and
then
the
check
was
augmented
to
actually
check
a
few
things.
So
it
sounds
very
similar
to
some
of
the
checks.
C
We
have
now
really
some
of
the
discussions
we've
had
now.
A
Yeah
and
by
the
way
somebody
else
asked
me
if
that
was
the
of
this
particular
NTA
document
is
what
I
mentioned.
And
yes,
that
is
exactly
what
I
was
referring
to
sisa
in
the
U.S.
This
is
a
U.S
specific
thing,
but
well
you
know
this
list
is
specific
to
it's
a
recommendation
from
the
U.S
that
said,
I
think
other
people
have
looked
and
said:
yeah
I
mean
we
can
there's
probably
more.
That
should
be
there,
but
this
is
a
at
least
I
would
expect
these
to
be
there.
F
A
So
I
yeah
I'm,
looking
through
I,
mean
supplier
name,
sometimes
doesn't
make
as
much
sense,
although
you
know
at
least
the
where
the,
if
the
supplier
is
the
registry,
the
Pat
or
the
or
the
package
organization
that
makes
sense
and
then
component
name
and
version.
Obviously,
yes,
other
unique,
IDs
and
I
think
pearls
and
hashes
make
sense.
A
A
I
think
this
makes
some
sense
I'm
sure
what
what
we'll
find
is
that
a
whole
lot
of
projects
don't
have
S
bombs
at
all,
and
some
of
the
s-bombs
are
don't
have
aren't
very
good.
But
that's
okay
in
the
sense
that
that's
exactly
why
you
have
a
scorecard.
E
Both
in
many
cases,
they
don't
exist
and,
in
some
cases,
they're
like
alongside
the
artifact
but
aren't
in
any
way
linked
to
the
source
code
of
the
project
or.
A
Subject:
I
I
think
there
is
a
challenge
that
typically
I
mean
the
better
ones.
I
believe
typically
are
generated
by
the
build
environment,
but
then
it's
not
necessarily
included
in
the
source
code.
It's
you
know.
Well,
where
do
you
put
it?
It's
not
in
the
it's
not
in
the
package,
that's
generated
necessarily
and
it's
not
in
the
source
code.
C
All
right,
well,
I,
see
Justin
that
you
dropped
the
link
in
the
chat
and
yeah
I'll,
probably
ping,
some
people
that
were
in
the
meeting
just
to
encourage
comments.
But
if
anyone
has
any
final
discussion
on
the
s-bomb
scorecard
bit,
I'll
give
it
a
little
bit,
but
otherwise
I
think
we're.
H
Hi,
for
those
of
you
I,
don't
know
I'm
Cara
I've
done
some
work
on
documentation
for
both
scorecard
and
tools
are
extend.
All-Star
and
I
wanted
to
follow
up
on
something.
H
From
last
week
it
I
in
the
beginning
of
January
I
had
said
you
know
this
documentation
is
getting
mature
enough,
that
it's
getting
out
of
date
and
it
needs
a
freshness
review
and
we
need
to
do
just
sort
of
a
read
through
of
everything
and
I
grabbed
a
couple
people
and
sat
down,
and
we
went
through
all
the
docs
with
All-Star
and
scorecard
to
generate
some
issues,
and
it
was
pointed
out
last
week
rightly
so
that
I
probably
should
have
announced
that
to
the
group
and
found
out
who
else
was
interested
in
doing
so.
H
So
I
want
to
apologize
for
that.
First
off
that
my
bad
and
so
I
want
to
put
it
out
there.
That
I
was
hoping
that
maybe
every
six
months
we
could
discuss
perhaps
having
an
hour
or
two
where
whoever's
interested
gets
in
a
call
together
reads
through
like
speed
reads
through
all
the
documentation
I
found.
This
is
a
good
way
to
just
generate
real
quick
list
of
things
of
like
yeah.
That's
out
of
date.
H
We've
been
meaning
to
fix
that
and
oops
we
didn't
realize
that's
not
accurate
anymore,
and
then
we
can
prioritize
CSUS
and
decide
what
needs
to
get
fixed.
So
I
just
wanted
to
put
that
out
there
and
see
if
there
was
any
interest
for
say,
a
twice
yearly
review
of
documentation
on
the
projects.
C
So,
just
to
give
some
context
from
last
meeting,
Stephen
Augustus,
also
sort
of
meshed
with
the
idea
of
every
six
months,
so
I
think
there
is
support
out
there
in
terms
of
maintaining
dock
freshness
just
so
that
potential
contributors
or
you
know
anyone
trying
to
use
it,
has
a
time
and
like
has
an
easy
time
and
isn't
fighting
Doc's
illness.
H
So
if
there's
no,
if
there's
no
disagreement
on
that,
how
about
rather
than
phrasing
it
the
way
I
did
if
there's
no
disagreement,
I'd
like
to
follow
up
in
say
summer,
around
july-ish
or
summer
for
the
Northern
Hemisphere
folks.
Maybe
this
July
will
be
about
six
months
from
January.
H
We'll
have
hopefully
worked
through
all
the
issues
that
we
created
in
January
at
that
point,
it'll
be
just
time
to
do
this
again,
so
I'll
either
announce
it
by
email
to
the
group
or
here,
and
we
can
then
make
a
public
meeting
that
anybody
can
go
to
to
participate
in
this.
That
sounds
good.