►
From YouTube: Scorecards Biweekly Sync (February 9, 2023)
C
C
C
C
I
see
a
lot
of
you
guys
are
doing
that
already
and
then,
usually
we
start
off
by
going
through
the
attendees
and
for
anyone
that
might
be
new
or
welcome
them
to
introduce
themselves.
You
know
what
they're
here
for
kind
of
thing,
so
yeah
it
looks
like
Ian
has
already
added
his
name.
If
either
of
you
feel
like
just
a
quick
introduction,
you
don't
have
to
but
sure.
D
D
C
G
No
discussion,
yes,
so
for
All-Star
contributor
ladder
PR
still
open.
If
you
have
any
comments,
take
a
look
at
that
and
also
we've
had
a
few
external
contributors
submit
some
features
and
they've
been
asking
for
release
most
people
that
run
their
own
instance.
Just
build
from
head,
so
I
haven't
been
doing
releases
regularly,
so
I'm
gonna
do
a
really
soon,
because
somebody
asked
for
it
and
that's
it
for
for
updates.
C
G
B
Yeah
I
see
hi
Bob,
yeah,
hey,
Jeff,
yeah
I
know,
Google
has
been
funding
it
we're
happy
to
continue
funding.
It
I
think
you
know.
Certainly
the
choices
here
is
now
wearing
my
attack
hat
and
not
necessarily
my
Google
hat
yeah.
You
know
it's
something
I
think
we
could
take
to
the
lfit
team
to
understand,
based
on
the
architecture,
whether
that's
something
that
they
could
to
help
support
without
the
need
for
additional
money
versus
yeah.
B
What
that
would
fundamentally
look
like
versus
like
keep
doing
what
we're
doing
and
just
make
sure
that,
like
again,
we
have
the
right
access
permissions
for
folks
in
the
community
and
figuring
that
that
model
out
I'm
I'm
wholly
supportive
of
you
know
making
sure
that
we
have
a
neutral
and
sustainable
solution
here.
So
I
guess
money
is
one
option
to
it,
but
there
may
be
other
options
that
that
might
not
involve
necessary
fundraising.
Even
though
it's
not
a
huge
amount
of.
G
G
So
it's
sensitive
and
it's
something
that
we
have
been
proclaiming
to
be
operated
by
the
community
and
the
open
ssf.
So
I
want
to
continue
to
uphold
that
that
claim
so.
I,
don't
I,
don't
know
what
the
timeline
is,
at
least
for
the
current
infrastructure.
If
that's
going
to
disappear
at
some
point,
so
hopefully
I
can
get
something
ready
as
soon
as
possible.
B
Got
it
so
so
you're
I
guess,
let
me
just
pair
back
what
I
heard
yeah,
so
your
intent
is
to
to
move
off
of
the
Google
infrastructure
as
soon
as
reasonably
possible.
Are
you
gated
by
I'm,
just
trying
to
make
sure
that
we
prioritize
this
this
aspect
of
the
attack
and
and
LF
accordingly,
but
that
so
your
desire
is
to
move
off
of
that
as
soon
as
possible.
B
A
B
A
G
A
A
G
G
A
A
B
No
I
myself
as
well,
so
that's
I,
I,
think
part
of
the
part
of
the
challenge
here.
I
mean
I.
Think
again
from
my
perspective,
I
just
want
to
make
sure
that
you
don't
get
caught
up
in
a
unnecessary
fundraising
activity.
If
there
are
shorter
term
solutions
that
would
be
viable
that
give
you
what
you're
looking
for
right.
G
So
yeah,
if
there's
I
mean
this
is
what
I'm
asking
here.
If,
if
I
can,
if
somebody
in
this
group
can
provide
a
neutral
infrastructure,
I'd
be
happy
to
take
it
without
going
to
the
TAC,
and
if
that's
Google,
then
that'd
be
great,
it
would
just
need
to
be
without
the
stipulations
that
I've
been
told,
are
required.
For
that.
A
G
Specific
stipulation
is
a
so
in
Google
Cloud
for
sorry
for
those
there,
mostly
AWS
folks,
but
in
Google
Cloud
platform,
there's
a
project
and
then
there's
a
administrator
permissions
on
the
project,
which
means
you
have
access
to
everything,
and
the
stipulation
for
my
current
infrastructure
is
that
a
Google
engineer
must
be
a
administrator
on
the
project.
For
me
to
be
able
to
use
it.
A
B
B
Wearing
my
attack
hat
I
I
think
we
should.
We
can
certainly
open
a
ticket
with
openssf
Ops
and
explore
what
options
exist
within
the
it
framework,
I
think
of
its
own
Advantage
by
the
foundation.
That's
probably
the
cleanest
way,
because
you
may
be
kicking
the
can
down
the
road
if
another,
another
company
raise
their
hand
and
said
I'll
do
this,
but
there's
some
other
restriction
associated
with
it.
G
As
well
yeah
that
could
happen
so
yeah
any
any
request.
Any
request
here
or
like
any
anybody
who
provides
infrastructure
here,
would
it
would
need
to
be
neutral
so
yeah
I
agree
that
that
might
be
the
problem.
If,
if
somebody
provides
it
but
then
says
oh
well,
we
need
we
still
need
to
access
it
right.
B
A
A
C
All
right
so
moving
on
someone
from
Lockheed
Martin
want
to
talk
about
adding
support
for
gitlab
I
know
we
have
some
openpr
right
now,
I
believe
raghav,
who
I'm
not
sure,
if
is
in
the
call,
has
been
working
on
trying
to
sort
of
get
that
PR
across
the
finish
line.
But
if
you
wanna
talk
to
it,
go
ahead.
D
C
A
There
was
ever
early
on
trying
to
make
the
scorecard's
requirements
not
be
specific
to
get
Hub,
but
there's
always
the
risk
of
you
intend
to
do
something,
but
you
didn't
quite
accomplish
it.
So
I
would
beg
for
if
you've
got
feedback
on
the
criteria.
You
know
that
sort
of
thing
you
know
what's
missing
or
you
know
rewording
to
make
it
more
more
General,
I
I,
think
we'd,
be
loved,
we'd,
be
very,
very
interested
in
hearing
it.
A
B
A
C
So,
with
Laurent
structured
results,
it's
sort
of
being
split
where
Under,
the
Umbrella
of
say,
dangerous,
workflows
or
token
permissions.
There
might
be
a
GitHub
specific
check,
but
nothing
that
sort
of
prevents
a
gitlab
specific
check
as
well,
all
under
the
umbrella
of
the
token
permission,
ship,
okay,.
A
C
E
E
Which
is
the
thing
that
my
project
attempts
to
do,
and
so
two
parts
have
suggest
people
deliver
s-bombs
and
then
second
make
sure
they're
of
high
quality
and
so
I'm
happy
to
I.
Think
someone
filed
an
issue
about
this
and
I
said.
I
would
be
happy
to
support
this
happening,
but
it's
not
entirely
clear
what
what
that
might
look
like
for
y'all,
and
so
I
am
here
to
have
that
discussion.
F
Yeah
I'd
be
I'd,
be
interested
in
this,
because
this
is
so
This
Jared
I
I
work
on
with
the
second
with
the
ex-working
group
industry,
working
group,
and
so
one
of
the
biggest
challenges.
Is
you
get
an
s
bomb
out
of
one
of
the
generated
tools
and
then
it's
missing
Shaw's,
it's
missing
hashes.
It
doesn't
tell
you
who
wrote
it
or
who
designed
it.
It's
missing
vulnerabilities.
F
It
doesn't
have
any
they're,
very
weak,
right,
they're,
very
lightweight,
so
the
quality
would
be
really
interesting
to
see
the
challenge
that
that
I'll
dive
into
this
but
understanding
you
know
how
are
you
pulling
it?
Are
you
pulling
it
from
Marine
Corps?
Are
you
pulling
it
from
archivists
or
you
know?
Is
it
you
got
a
point
at
a
repo
that
has
all
your
f-bombs?
You
know
that
I'll
check
that
out
later,
but
full
project.
E
D
A
E
A
E
A
E
C
Yeah,
that's
a
very
common
theme
that
a
scorecard
has
sort
of
been
noticing
is
that
people
have
very
opinionated
opinions
about
scorecard
as
well
like
which
checks
they
care
about,
and
there
should
be
an
issue
with
clo
monitor
or
something
like
that.
Where
you
know
more
and
more
people
are
just
having
this
sort
of
like
we
want
to
customize
how
we
I
don't
know
care
about
certain
things,
but
not
others
and
it'd
be
interesting
to
see
the
overlap
there.
E
Yeah,
there's
probably
some
scorecard
framework
that'll
exist
in
two
years
for
people
making
scorecards
for
to
support
these
sorts
of
things,
but
yeah
I
think
I.
Think
it's
a
question
of
like
building
a
scorecard
is
a
mechanism
by
which
we
can
influence
the
culture
and
the
direction
that
fits
our
agenda,
and
my
agenda
is
that
things
should
have
licenses
and
versions,
and
when
you
get
a
cve,
you
should
be
able
to
look
at
the
s-bomb
and
figure
out
if
you're
affected,
and
so
that's
what's
reflected
in
my
tool
in
the
similar
way.
E
E
C
So,
usually,
just
based
on
the
nature
of
the
meeting
I'm
trying
to
look
at
all
the
attendees
right
now
we're
missing
quite
a
few
maintainers
on
the
just
due
to
travel
and
parental
leave
and
stuff,
like
that.
So
I
think
the
best
would
be
for
sort
of
a
discussion
on
this
issue
that
I
added
to
the
notes
about
adding
support
for
the
s-bomb
scorecard.
C
So
Laurent
sounds
like
he's
on
board
and
I
I
think
it
aligns
with
what
sort
of
secure
best
practices
would
be
in
terms
of
software
supply
chain.
So
I.
Think
next
step
would
be
just
soliciting
comments
on
this
issue
and
sort
of
going
from
there.
Given
that
there's
some
conferences
and
maintainers
missing
right
now,.
C
Yeah
so
I
I,
think
sort
of
soliciting
for
a
comment
in
the
slack
is
good.
I
understand
that
in
the
issue,
though
I'm
pretty
sure
Laurent
said
bring
this
to
the
meeting,
and
then
people
just
happened
not
to
be
here
sort
of
thing,
but
usually
someone
has
an
issue.
They
bring
it
to
the
meeting.
It
didn't
immediately,
get
shot
down,
people
either
want
to
discuss
it
or
for
time
reasons
aren't
able
to
and
then
sort
of
discussion
flows
back
to
the
issue
anyway.
C
C
A
Yes,
I
guess:
does
anybody
have
any
strong
reservations,
given
what
they've
heard
so
far?
Maybe
you
know,
which
is
not
a
very
strong
straw
poll,
but
you
know
hopefully
at
least
gets
the
the
juice
is
Flowing
I
I,
don't
certainly
I
think
the
idea
of
encouraging
s-bombs
is
something
we're
trying
to
do
anyway.
So.
C
C
And
sort
of
that
format
you
described
Justin
where
it's
one
thing
to
have
in
a
spawn
and
then
it's
another
thing
to
have
a
valid
s-bomb,
where
you
know
there's
some
debate
about
what
valid
is,
but
that's
something
that
scorecard
checks
have
gone
through
before,
like
our
security
policy
used
to
be.
Does
it
have
a
security
policy?
It's
like
yes,
but
it
could
have
been
empty
sort
of
thing
and
then
the
check
was
augmented
to
actually
check
a
few
things.
So
it
sounds
very
similar
to
some
of
the
checks.
A
Yeah
and
by
the
way
somebody
else
asked
me
if
that
was
the
of
this
particular
NTA
document
is
what
I
mentioned.
And
yes,
that
is
exactly
what
I
was
referring
to
sisa
in
the
U.S.
This
is
a
U.S
specific
thing,
but
well
you
know
this
list
is
specific
to
it's
a
recommendation
from
the
U.S
that
said,
I
think
other
people
have
looked
and
said:
yeah
I
mean
we
can
there's
probably
more.
That
should
be
there,
but
this
is
a
at
least
I
would
expect
these
to
be
there.
F
A
So
I
yeah
I'm,
looking
through
I,
mean
supplier
name,
sometimes
doesn't
make
as
much
sense,
although
you
know
at
least
the
where
the,
if
the
supplier
is
the
registry,
the
Pat
or
the
or
the
package
organization
that
makes
sense
and
then
component
name
and
version.
Obviously,
yes,
other
unique,
IDs
and
I
think
pearls
and
hashes
make
sense.
A
A
A
Subject:
I
I
think
there
is
a
challenge
that
typically
I
mean
the
better
ones.
I
believe
typically
are
generated
by
the
build
environment,
but
then
it's
not
necessarily
included
in
the
source
code.
It's
you
know.
Well,
where
do
you
put
it?
It's
not
in
the
it's
not
in
the
package,
that's
generated
necessarily
and
it's
not
in
the
source
code.
C
H
H
So
I
want
to
apologize
for
that.
First
off
that
my
bad
and
so
I
want
to
put
it
out
there.
That
I
was
hoping
that
maybe
every
six
months
we
could
discuss
perhaps
having
an
hour
or
two
where
whoever's
interested
gets
in
a
call
together
reads
through
like
speed
reads
through
all
the
documentation
I
found.
This
is
a
good
way
to
just
generate
real
quick
list
of
things
of
like
yeah.
That's
out
of
date.