Ship It! – Episode #94

Scoring your project’s security

with Chris Swan

All Episodes

Autumn and Justin are joined by Chris Swan to discuss tech industry trends like AI and sustainability, gamifying the software development process and motivating devs to write more secure code, OpenSSF Scorecards and how they offer a way to measure and improve the security and compliance of GitHub repos, the scoring system, and the security posture of a repository.



SynadiaTake NATS to the next level via a global, multi-cloud, multi-geo and extensible service, fully managed by Synadia. They take care of all the infrastructure, management, monitoring, and maintenance for you so you can focus on building exceptional distributed applications.

SentryLaunch week! New features and products all week long (so get comfy)! Tune in to Sentry’s YouTube and Discord daily at 9am PT to hear the latest scoop. Too busy? No problem - enter your email address to receive all the announcements (and win swag along the way). Use the code CHANGELOG when you sign up to get $100 OFF the team plan.

Fly.ioThe home of — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at and check out the speedrun in their docs.

Notes & Links

📝 Edit Notes

Links of the week

Person, place, thing, || null

  • Linux - person (Linus Torvalds)
  • git - person (Linus Torvalds)
  • Kubernetes - thing (helmsman)
  • Algorithms - person (Al-Khwarizmi, Persian mathmetition)
  • Trojan Horse - place (Troy)
  • Bluetooth - person (Harold Bluetooth, Denmark king)
  • Hadoop - thing (kids elephant toy)
  • Venn diagram - person (John Venn)
  • MySQL - person (My Widenius)
  • Debian - person (Deb and Ian)
  • Neon - Greek neon meaning new


1 00:00 This is Ship It!
2 00:32 The opener
3 13:25 Sponsor: Sentry
4 17:11 Welcome Chris Swan!
5 17:56 What is Open SFF?
6 18:49 What are scorecards?
7 20:09 Gameifying your dev process
8 22:58 Simplifying security assurance
9 24:34 What permissions does it need?
10 26:49 Versioning scorecards
11 28:39 Promoting security norma
12 30:14 Justin tries the scorecard
13 34:21 Easy open source contributions
14 37:09 Good docs are important
15 39:49 Building confidence
16 40:37 Scorecards and the supply chain
17 43:20 Signed artifacts
18 45:20 Tool maintenance and regulation
19 47:27 Maintainer attention
20 55:15 Open SFF's great community
21 56:20 How to get involved
22 1:02:24 Thank you for joining us!
23 1:03:08 Sponsor: Synadia
24 1:08:19 The ender
25 1:23:03 Outro


📝 Edit Transcript


Play the audio to listen along while you enjoy the transcript. 🎧

Hello and welcome back to another episode of Ship It. I am your host, Justin Garrison, and with me as always is Autumn Nash. How’s it going, Autumn?

Hi. I’m good. How are you?

I’m doing fine. And even if you’re teasing me for it being cold in Southern California, being 62 degrees… [laughs]

It was 35 degrees, and my car was iced over, and you’re over here turning the heater up, Justin…

I did run my heater, because if I don’t have to wear a hoodie, I’m not going to. But actually, it was –

You work in tech. What do you have against hoodies?

They’re fine, but if I can just be in a comfortable room…

This is how we know you’re spoiled in California, because you’re Oh, God forbid I put on a hoodie.” We live in hoodies in Seattle. It is practically the state clothing item. if there was one, that’s it.

I will say, I remember when I had an interview in Seattle… I was looking at weather, and it snowed. This was years ago, and I was “It’s gonna snow.” And literally, the warmest thing I have is a hoodie. So I went to Target that night, the night before I was flying up to this in-person interview five years ago or whatever… I had to go buy long underwear, some boots, and a jacket that was waterproof, because I had nothing.

You actually dressed up for snow? You didn’t just put on a hoodie and just run as fast as possible? Because that’s the other funny thing… I feel like people – somebody’s always wearing shorts, and a hoodie, and you look weather-confused, because it’s cold outside, but whatever… Especially guys, I feel like there’s people in shorts, and I’m like “Why?” It is cold and rainy. Or nobody actually dresses for weather, and they’re just like “YOLO. We’ll just walk as fast as possible”, and I’m like “It’s cold…”

I am from Southern California, and I will freeze to death in the snow, so…

I love that you really got [unintelligible 00:02:13.02]

I did! I have worn them like three times now. I was just in Japan two weeks ago, and it snowed there too, and so I had to bring them, and I wore them.

I love your weather dramatics. It’s so very California-ish.

If it’s under 40 Fahrenheit, I’m probably going to be bundling up [unintelligible 00:02:31.17]

Justin, I was born in LA, and I’m from Hawaii.

Yeah, whatever.

You’re like “Whatever, don’t judge me.”

You have moved to colder weather; you have migrated, and I stayed here.

Send tacos.

Send tacos, yes. [unintelligible 00:02:46.24] On today’s show we have Chris Swan from – he’s gonna be talking about OpenSSF Scorecards, and we’re gonna get into the whole interview on what that is, and what that means, and I’m really excited for everyone to hear about it, because I learned quite a few different things about why it’s important to have some sort of security metric for open source… So it was a really fun conversation with Chris.

It was really interesting, and not just that, but Chris is the sweetest, and he has the cutest dogs ever.

We did get to see his dogs, [unintelligible 00:03:14.28]

Shout-out to Chris’s dogs, because they’re adorable.

To start off the show, as always, we’re going to talk about a couple of links that we’ve found recently, or in the last week, that we thought you all might find interesting. And I’ll go ahead and start with something that recently just happened for all of us. The leap year. Leap year happened, it’s 2024, and we had an extra day in February. And so I’ve found a list of leap day bugs… And it’s always fun to find out how software breaks in unexpected ways, when all of a sudden there’s a new day of the month. This list has quite a few different things, ranging from high impact to low impact, and some of my favorite ones were around petrol stations in New Zealand stopped working, or at least the self-service one stopped working… So I guess if you needed petrol, or gas on that day, you couldn’t get it, or you had to do something else. Pay cash,. The self-service credit card machines I think is what it was.

The other one that was funny or interesting was in France… The lights turned off at midnight, because – there’s just infrastructure that just disappeared, because it’s like “This day doesn’t exist, so we’re not on schedule. I don’t know what to do.”

It’s just crazy, because it’s “Did we learn nothing from y2k?”

y2k brings back so many memories, and I imagine a lot of people writing software on these systems now did not live through y2k.

You’ve made the best face… You were like “Ah…!”

No, I’ve made me feel so old, because I just met someone recently, and we were talking all sorts of stuff, and I was like “Wait a minute, when were you born?” and they said 2002. And I was just like “Oh, my gosh…”

Dude, my brother and all his friends - oh, my God; they were born in like the 2000s. He’s like 20. And it just blows my mind, how can you be that old, and you were born in the 2000s? I’m just like “How?!”

Yeah, and they don’t remember the 1900s.

Don’t say it like that…! You made it sound so old, Justin. Why…?!

I think you just aged immediately when I said that.

[laughs] I felt literal pain. I was like “Why…?!”

“My back hurts now. What happened?”

I think I just aged five years. Thanks, Justin. I thought we were friends. first the whole not drinking coffee thing, and now you’re just making me feel old…

I’m sorry…

[00:05:45.23] Okay, my link is “Prescription orders delayed as US pharmacies grapple with national state cyber attack.” So some pharmacies, including CVS, weren’t able to fulfill orders, because of a cyber attack on Wednesday, February 21st. It was enterprise-wide connectivity issues that forced the system to stay down… Which is just wild, because if we know anything of technology, we know that it’s an everything… But you almost forget how much it is. just between thinking about your link and my link - lights, pharmacies… It is in every part of our lives now. And then with AI, it’s going to be even more a part of our lives. People want to put it everywhere. And then it’s like “But what are the impacts of that when something goes wrong?” People weren’t able to get their prescriptions, and it’s crazy, because since COVID - I don’t know if other people are having this problem, but when you have a kid with ADHD, it’s been so hard to get regular ADHD meds, because there’s a shortage… So think about on top of that when there’s so many medicines that are life-threatening that you need… And with the laws, you can only get so many days of them… And then you have to get a new prescription, or you have to do it where it’s very strictly timed… So can you imagine if a cyber attack takes down a pharmacy, and you’re on your last day of some life-saving medication, or something that is hard to get… It can really affect people’s lives.

And that’s really interesting too how – like, policy; because you don’t want to avoid people abusing medicine, and taking too much, or whatever… So you write a policy that says “Okay, you should be able to do this thing within this amount of time.” And you don’t understand how other things might be impacted. Because if this was the 1800s - we don’t have cars, we have trains, and so it’s like “Okay, well, you probably need a couple months of this, because the next train coming through, you may not be able to get a telegram over to them”, and that technology directly impacts the policies we have in place for these sorts of things. And when the technology isn’t up to snuff, if it fails or is hacked into it these ways, that policy kind of - all the assumptions around what is possible go out the window.

And it’s wild… I think we’ve been trying for a month and a half to get my kids ADHD medicine. I know a mom who went to three different pharmacies and couldn’t find it. And then on top of that, they start going down, like “How is that going to affect people that take cancer meds, or diabetes meds”, or… You know what I mean? It’s just crazy.

It says that law enforcement this week dealt a heavy blow to [unintelligible 00:08:14.12] lock built ransom group… But there are still plenty of ransomware operators still earning millions of dollars. That’s crazy. That’s a business. You know what I mean? You don’t think of that. It’s not just some dude that took it down for fun. They’re making millions of dollars. That is wild.

If you’ve never read the book Spam Nation, it’s a fantastic read about the spam industry, mostly around drugs and prescriptions that aren’t legitimate, because of these sorts of stresses, of like “I need to get my meds. I have to survive on this thing.” Whether that’s –

It makes me so sad that people are put in that situation, you know?

Absolutely. The amount of stress that it must involve. And then you get an email that says “Hey, I can get you your meds for a discounted price. You don’t need a doctor. All that other process and things that you have to go through, we could just skip all that.” And that boomed spam, in a lot of ways. Not the food, the email.

Not just that, but it makes me sad, because how many older people are – they say that people are eating, or not eating… I think there’s a documentary, people were eating cat food, because they were saying that their meds were so expensive, and people were trying to get it from Canada, and from other countries and places… And then it’s like, think about the fact that if you had an email like that, you’re gonna be like “Oh my God, I can afford something more this week”, you know? And that’s so sad, because there’s already so many robo calls that take advantage of older people, and then you add that into it, and it’s just like “Why are we putting humans in this position to even be that desperate?”

Yeah, the fixed income for a lot of people is a super - like, you have to know exactly where every dollar is going, and what you can and can’t afford…

[00:09:54.07] I remember when I was pregnant with my son, I was so sick… And there was a medicine, it was the only FDA Medicine approved for morning sickness that wouldn’t cause a miscarriage… And it was $700. But it was literally B6 and Unisom, which is like you could mix it at Target for like 12 bucks… And it was $700. And it took three weeks; three weeks of me not being able to hold down the water, for insurance to approve it. And I was like “This is ridiculous.” Like, some dude in an office is just turning this down while I’m so sick. It was just like – it blew my mind, that whole process of insurance and stuff.

Now I’m sad. [laughter]

It is sad. I don’t want old people not taking their medicine, and worrying about food… I hope that we do take this kind of stuff into consideration…

And I do find – there was just recently, I didn’t put it as a link here to this week, but the White House is like “We need to write memory-safe languages.” They want people to write Rust.

I thought that was so interesting, that actually the White House was getting into software in that way… And I thought that was really cool, because – which is also kind of crazy, because I feel like a lot of government entities have really old languages, and software… So I thought that was interesting, too. But…

Of everyone telling me what software to write, or what language to pick, I would not expect it to be a government [unintelligible 00:11:11.17]

Exactly. The people that still use COBOL.

“Yeah, maybe this old language isn’t – this Fortran is kind of long in the tooth. Let’s just leave everything else and say “What should we do?” And yeah, memory-safe languages, maybe – it can protect against certain things, but it’s not gonna protect everything. But it’s like “Hey, if this protects anything like this, that could affect millions of people”, then yeah, it’s worth it to pay developers to learn this software, this language, this infrastructure, whatever it is, because that does have huge impacts in something like a government, where everyone depends on it.

But just like if you’re going to build military applications, or government applications, it is better for it to be more stable. And I’m glad that they’re taking those things into consideration, and they’re wanting to build them better… And I know, just being married to someone in the military for so long, they were talking about taking a lot of the processes, like for moving, and that type of thing, and trying to make apps for them… So it’s interesting, because as the military and different aspects of the government do become more technical, they’re going to have to update their tech, because now they’re starting new technical applications on top of the older tech that they’ve been managing… So it’s interesting how those things are going to – I wonder if that law will affect how they build applications for actual military families, and… You know, on top of the building it for ships, and tanks etc.

Cool. Well, let’s jump into the interview with Chris, and talk all about security for open source, because that kind of ties into some of this as well… It’s like “Hey, are you following best practices to secure your repos? And can we trust this code in any way?” And OpenSSF Scorecards is one way to kind of see maybe a proxy of that, of like “Maybe I do trust this, or maybe there’s some bad situations or just something that doesn’t add up here that isn’t secure.” So let’s jump into that interview, and we’ll talk to you after.

Break: [00:13:17.24]

Alright, thank you so much, Chris Swan, for being on the show today to talk all about OpenSSF Scorecards. Chris, tell us about yourself. Where do you work, and what do you do?

Hi, I’m Chris Swan, I’m an engineer at Atsign, where we’re building a platform for next-generation networking based on personal data services. And one of my focuses there is on how we show that we care about security. That’s why we ended up implementing Scorecards, which I guess is what we’re here to talk about.

The way you phrased that makes me very – how we show that we’re interested in security, or care about security… Immediately, my head thinks of security theater, where “Hey, there’s a thing that we have to do for a checklist that doesn’t really matter.” But I know that’s different than what you’re actually working on, so let’s start with “What is OpenSSF?”

OpenSSF is the Open Source Security Foundation. It’s a thing inside of the Linux Foundation, so it sort of sits alongside of the CNCF as one of the projects there.

So it’s its own foundation. And what does it focus on? What’s the purpose of a new foundation that is open security?

So it focuses on securing the supply chain. It seems to have had a lot of initial energy, at least from Google… So we first kind of came across Scorecard when Dart and Flutter implemented Scorecards on their GitHub repos, and they did a blog post about why they’ve done that… And we saw that and thought “Yeah, that’s them showing us that they care about security in a very sort of visual way.” And we immediately thought “This is a good way for us to communicate to our customers that we care about security.”

So what exactly is a scorecard then? Is that a report card on my Git commits? Is this a badge that I put in my banner of my readme? What is it?

So it is ultimately a badge that you put in the banner of the readme, and it has sort of a colored element to it… So as the score gets better, it goes from sort of red, to yellow, to shades of green… So once you get a score of eight or better, it’s a nice, bright green scorecard. If you click on the badge, that will take you to the most recent output file from the scorecard action you’re running… And so what’s happening there is it’s implemented as a GitHub action. Every time there’s a merge to trunk, that action is going to run. And it’s checking against a whole bunch of sort of different areas of security. So do you have known vulnerabilities? Are you pinning your dependencies? Branches protected in your GitHub config? Do you do static source code analysis? Do you do dynamic source code analysis? Have you completed the OpenSSF Best Practices questionnaire to a passing grade, or silver, or gold? And so it’s measuring each of those dimensions, and then adding all of that together into a score out of 10.

You know what’s really interesting? I was reading this article, and it said “Gamifying parts of your development process”, like pipelines or different ways of writing good code and showing developers that they write good code, and that they’ve done something… I don’t know if it’s all because we love video games, but it’s proven to help people to like, if you gamify your metrics, like what colors, or just anything that, they’ve proven that people will write better code, you know? So it’s super-interesting, and I wonder if the way that the scorecards have that, the little buy-in to make you want to get that extra 5%, and then five more percent, you know?

Yeah, it certainly does do that. And yeah, once we started putting all of our scorecards together on a table, then it made me want to make sure that they were all at least green. But then that gets you into the hole – it’s about 20% of the effort to get 80% of the score… So it’s relatively easy to get an eight. To get from an eight to a nine is a ton more effort. So it’s a sort of Pareto thing of 80/20. 20% of the effort to get 80% of the score, but then it’s all uphill from there, because you’re then putting in the other 80% of the effort to get the residual 20% of the score. And it’s a bit sort of law of diminishing returns at some point there.

But honestly, if people were 80% more secure on a bunch of Git repos, especially with open source, because so many people are then inheriting your either good or bad… You know what I mean? So I think even if everybody was at 80%, and just the getting it green motivated people that way… Security is so optional all the time, until something goes wrong, so I still think that would be amazing, you know?

[00:21:55.03] It would. And there was a paper out a couple of months back where they looked at sort of the top 20 open source projects by popularity, and ran Scorecard against them. I think basically none of them had a scorecard in the repo, but anybody can run the tool against any repo.

Oh, that’s interesting, because if you were going to build something and you wanted to look at “Hey, is this secure enough for me to build my application on top of it, or build it into my application?”, and then the fact that you can apply a scorecard to another repo… That’s actually really interesting. That’d be a really good way to pick what open source projects you’d want to incorporate into something that you’re building.

It is. I think if you’re able to choose between, let’s say TLS implementations, then you might very well decide “Yeah, this is the TLS implementation I’m gonna go for, because I can see that the people building this have done the things that show that they care about security”, as opposed to another one where maybe that level of diligence isn’t so transparent.

And by making this a number or a color… I’m Red/Green colorblind, so those probably wouldn’t matter to me as much… But seeing a number of like “You got an 8 out of 10”, it kind of boils down all the complexity of “Hey, are you doing the best practices things? Are you doing the things that we know – you should just have this in place”, like you mentioned, protecting your main branch, or something. Things that are like “Hey, we’re going to probably avoid some of the obvious errors in how this software gets built, and maintained, and distributed by just doing these handful of things, and give you that relatively good number.” Even if it’s like a six or a seven, you’re probably still in the yellows, but at that point you’re still like “Oh, they’re doing something right.” It’s not just like a default open GitHub repo.

Yeah. And I think where people are implementing it, you never see a red badge. As soon as somebody has kind of made the commitment to put a scorecard on their repo, they’ve probably also made the commitment to try and make that score at least decent. So generally, you’re seeing sort of yellow and better scorecards, with scores of sort of 6.5 or better. I’ve not seen anybody sort of publicly putting a scorecard on something where “It’s in an awful shape, but we’re gonna get better maybe later on.”

It could be a good deterrent. You’re just like “You know what - this is an experiment. Don’t use this yet. It is red.”

That’s what I’m saying, I think that’s kind of cool, because when you’re scoping projects, and you’re looking for tools to use, that would be a great research tool.

And you mentioned you can run the tool on any repo. It’s a command line tool, it runs in a GitHub action… What sort of permission does it need on the repo itself? Because you said it will look for things like protected main branch. Is that something that it’s calling the GitHub API for, or is it looking somewhere else for that if you’re just writing this on a bunch of random repos?

So it is making use of the GitHub API. And for open source repos, you can actually see that stuff. So you can see aspects of the GitHub config, even though to change that config you would need to be an administrator.

Right. You have read-only access, and that’s what the scorecard needs.

And you mentioned earlier that you started seeing it on Flutter repos. Is that where it’s mainly being used? Or where are you actually seeing it being implemented in different projects and groups?

The energy seems to have originated from Google, but I think it’s already spread out quite widely from there. So for instance, Intel have now got a very mature open source organization. The leader there, Arun Gupta, he’s now the Chair of OpenSSF. But Arun is somebody that’s kind of moved around the industry, doing roles in Amazon, and Apple, and now Intel, and so is an recognizable industry figure. And for him to kind of take over as figurehead of OpenSSF shows that Intel’s got that commitment to security.

[00:26:12.29] But behind Arun, the team at Intel are kind of busily working their way through thousands of open source repos that they’ve got, implementing Scorecard. That’s just an example of a large organization, with a big open source presence, deciding to adopt it, and committing themselves to the process of a) implementing it, and then b) kind of turning the ratchet to make the scores get better, and working with their internal teams to change some of the tooling and culture that actually lies behind achieving those scores.

Are Scorecards versioned at all? It’s just a kind of question, if “Hey, today you’re a green badge, you’re an eight.” Things change over time, and practices change, and in two to three years from now, I’m assuming what got you an eight today is not going to get you an eight in 2027. So do they version that at all? Is there a way to notice “Oh, which spec are you applying to?” Because this is all to give me some assurances that you’re doing the right thing, but that maintenance does take time.

So being an open source project itself, Scorecard is constantly improving. And one of the side effects of that is your eight today is not guaranteed to be an eight tomorrow. Because the things that are being measured may move under your feet, so new things might be introduced. Hopefully, it means that more people are kind of able to access it. So let’s say it’s measuring static source code analysis tools. Of course, all of the popular open source analysis tools are already there, but there’s going to be a bunch of other tools that people have embraced, and maybe that apply to languages and frameworks that aren’t quite so mainstream. And so people are going to have the opportunity to add those in, and that shouldn’t really affect the score of everybody else. Whereas there’s other cases of sort of new areas of concern being brought in, and that’s kind of adding to the denominator. Everybody now has got a total score that’s being divided by something to get it to a score out of 10, and the divisor just got bigger, because there’s more things being measured. That’s challenging, as a whole, I think, to be continuously improving our security posture, and being diligent to keep on top of that stuff.

I think that’s really cool, because I think people only think about security when something goes wrong… And the fact that more and more people are I feel like championing open source, but maybe it is harder when people are all working for different companies, and beginning people trying to learn how to contribute to open source, and you’ve got people from all over the world, and it kind of gives you a nice measurement for everybody to kind of look over into a goal to meet for security.

It does. And I think it introduces a new set of norms about how projects are expected to work. So if we look at contributing to open source, it can be a very uneven process at the moment. Every different open source project has got a different set of customs, a different approach to doing continuous integration, different standards around what they expect to see in commit messages, and that sort of thing. And I think one of the things that Scorecard will hopefully achieve here is as more and more people are adopting Scorecard, it’ll level things out a little bit in terms of common approaches are typically going to be needed to achieve good scores. So then as you’re moving from one open source object to another, you’ll find that they’re doing things in similar ways, and it’s kind of less of a learning curve to continue that open source contribution journey.

[00:30:12.02] That’s a really good perspective.

I do want to give a little bit an idea here for people that are [unintelligible 00:30:14.18] I literally just downloaded and installed the CLI, and ran it against – I have a Bash scheduler for Kubernetes. It’s written in Bash, it’s like 100 lines of Bash, and I ran it. I’m like “What is my score for this thing that I’ve never touched the repo on, and I never tried to make it secure, and it doesn’t even have releases, all that stuff?” And I got a 2.8 out of 10. So that’d be a red badge, for sure. And this would be good. I do not run this in production; this is not a thing that you should ever be trying. But it’s interesting seeing almost every one of my scores is either a question mark, a 0 out of 10, or a 10 out of 10. I have nothing in the middle. Nothing of like “Oh, you’re okay on this”, which is kind of interesting. I have zero vulnerabilities. I got 10 out of 10. There’s no vulnerabilities in my Bash code. No known vulnerabilities in my Bash code. And that’s kind of amazing right there, when I think about it… [laughs]

And contributors is another one, which is an interesting thought for how does something become secure with contributors. And in this case, in just the CLI output, it says “How many different organizations have contributed to this repo?” And my Bash repo has four different organizations; four different people have contributed to the tool. So it’s like “Oh, that’s actually pretty good.” For what this is – it’s not one company, it’s not one org; four different people have actually committed code to this. So that’s kind of neat.

Yeah, some of the checks are really binary. You either pass them or fail them. But others are very much more on some kind of spectrum. So one of the checks is OpenSSF best practices, and you might see it there as CII best practices… Which is this huge questionnaire which feels to me like it’s somewhat aligned with something like the NIST Cybersecurity Framework. So there’s lots and lots of stuff in there, including the kind of, you know, run over by a bus problem of “Have you only got one maintainer for this thing? Or have you got a bunch of people that can step in to look after it?” The score for that is kind of five if you get passing, and then I think seven if you get to silver, and then 10 if you get to gold.

And zero if you haven’t tried anything.

And zero if you haven’t even started. But I think you can get a three for being in progress. So if you’ve completed a bunch of the questionnaire, you’re not passing yet, but at least you’re trying to get there.

It’s interesting here seeing just what is – because I don’t have a license file in this repo… Which I should. I generally put license files. But I don’t have a license file. So it’s a zero. Fuzzing - zero. Maintained - zero. But I also have no packaging… There’s no binary, so I have no Binary Artifacts, which is a 10. It was like “Hey, cool. You don’t have any binaries, so this is a good thing, because we can see all the code available in the repo.”

So it’s interesting, because you could - I don’t wanna say you could game this, but I could not run this on certain things to make sure like “You know, I don’t want to have to deal with that right now.” I mean, just as you were saying, to get this eight score… I could pick and choose the things that are going to get me a better average, to get me to the eight points of saying like “Hey, this has – again, those best practices. These are the things that as of today, in 2024, this is a good idea for you to have. And let’s make sure that you have those things in place. We’ll give you a decent enough score so people can trust that you’re at least doing the basics.”

So gaming’s an interesting aspect to this. One challenge for us was docs repos. How do you do a CI against a docs repo? What sort of testing should you be doing there? And you have to be a little bit creative with it. So what we’ve ended up doing in that particular case is we have a Markdown linter as one of the CI checks. Initially, I kind of felt a little icky about it, because it’s like “Oh, I’m just putting that in there to make sure that we’ve got something that’s checking the box, so that we can get our nice, green badge.” But actually, it’s ended up changing the culture of the organization around how we use Markdown. And people are starting to lint their Markdown, even in the repos where we’ve not done that, because it’s become the norm to lint Markdown. And actually, the Markdown is all really nice now, and really consistent, rather than as it was before.

[00:34:20.18] I also really think that maybe this could be a gateway into contributing to open source, because when you first start wanting to contribute to open source, you’re like “Well, what do I even contribute? How do I even…? And the fact that something as simple as fixing docs, or linting stuff, or… Maybe if there are low-hanging things that you could do and contribute to make the scorecard better could be somebody’s first couple of contributions… Because it helps you figure out where to implement these things, and then you can go and figure out how to do that.

There’s a lot of debate about how to get into open source right now, and how to do your first contribution… So maybe Scorecard gives not only that best practices that we start to learn, but also is a new way for the next generation of people that want to contribute to open source, and then they can start that journey with best practices.

Yeah. And I always encourage people to start with their documentation PRs. And I think it’s so frequently the case that the creator of a project, and especially sort of a small project - it worked on their environment, and they’ve tried to document it as they think somebody needs to for using it. But you come along and try and use it… Let’s say it’s a Ruby project; you find that there’s a whole bunch of gems that you need, that they had on their laptop, but that weren’t actually documented. And so you can then make a contribution to the readme to say “Dependencies - you actually need to install these gems, and then it’s going to work.” And that’s going to be really useful for the next person coming along, wanting to use it.

That’s such a good thought too, because how many times have you tried a project or done something, and then it doesn’t work the way that you think it is, and it’s so frustrating? But that’s really an opportunity to, for one, make better software for the next person, but it’d also be that contribution to open source. So that’s a really good perspective.

Yeah, we’ve done Hacktoberfest for the last few years, and it was a bit different this past year, because of the not giving away T-shirts anymore. I saw less activity as a result of that.

I didn’t know they stopped the T-shirts.

Yeah, it was kind of positioned as being a sustainability thing. They didn’t want to be using all the cotton, and mailing the T-shirts all over the world. But I did like the T-shirts, even though they gave people options previously to have a tree-planted instead. I chose the T-shirt. But past years, I’ve been entirely happy with people coming along with typo corrections on readmes and stuff like that to score a commit for their Hacktoberfest. That’s absolutely fair game. And I think there’s a little bit of gatekeeping sometimes happens around that, of “Oh, it’s not a serious contribution.” Because even if you’re putting a full stop in the right place to correct something, it’s good enough for me.

I feel like having good documentation is so underrated, and it helps people to use your product. You can have the best product ever, but if it’s hard to use, people aren’t going to use it. So I felt like people should appreciate people that write good documentation, and add to documentation, because like you said, people have been – usually, when you’re building something, you’ve been using that technology for a while. Or you’re so deep in it that you can’t see what you need, or how to explain it… And having a new person come behind you, or a new engineer on your team try to use something is so important, because it’s so easy to assume knowledge.

It’s context, right? It is that “How much do I need to know ahead of learning this?” And there’s a lot of assumptions in various language programming, and stuff like that… It’s just like “Oh, well, you’re learning Ruby on Rails, o you must know Ruby, right?” It’s like “Well, maybe I’m a beginner.” And you have to balance that, “How much do I need to teach someone from scratch, and how much can I just assume that they know?”

[00:38:10.13] A lot of times I’ve helped people that were getting into tech, and they’re like “I don’t know what the command line is. I don’t know where I’m typing and what I’m doing.” I’m like “Okay, well, let’s start at the very basics of what is a command line. And not assume you know what even a command, and output, and exit codes are. And that’s just a different way of like “Okay, but we don’t need to put that necessarily in the docs for everyone”, because then it just becomes very messy. Like, “Okay, well, a long time ago we made computers. We made a processor, and this…”

Let’s figure out how much context is relevant to what we’re trying to do, and where are people starting? And trying to bring people into that. And so I do think that it’s interesting taking this scorecard approach of “How do we get someone to contribute to open source?”, especially from cybersecurity. Because people are trying to get into cybersecurity, or do more just learning around what cybersecurity is, getting in that industry is not generally an open source friendly community.

And every job is like “You need three years of experience.” But how…?

Exactly. And being able to give them this starting point of “Here’s some things that are generally best practices, and we say you have to have, or should have these things”, like pinned dependencies. Even if they don’t know “Why do I need a pinned dependency? How does that help with security?” It doesn’t actually matter right here.

But also, that’s a jumping point for someone to go down that rabbit hole and go learn about stuff. “Oh, this thing is – I can fix this. Now let me go figure out what it is, and then google it, and then learn about it.” And then when they fix it, you’re gonna remember that more than if you just googled something and just had to read it in a textbook, because your brain had to go search that, and then you had to go fix it, then you had to learn about it. You know what I mean? So that’s just so much better of a learning opportunity.

Yeah, and giving someone new a place to start with how to do something, not why, sometimes is important. Because you just need to like “I just need to try it first. I need to do something.” And then I go back and figure out “Oh, why did I do that? What was that relevant to? Why did that matter?”

Also, I gained confidence. I think a lot of times in tech you spend all this time researching and doing theory and learning classes, but the actual – I think people, especially women already have impostor syndrome, and I feel like when you get to actually go and solve a problem and do things, it helps you to be more confident when you get a job, when you’re in that meeting, or to have an opinion. So I think getting the chance to build those small wins, even for yourself, helps you to be in this industry.

Chris, you were mentioning early on that OpenSSF is about securing the supply chain of software. How does this specifically – how do Scorecards tie into that? Why is this an important piece of a supply chain? Because supply chains are generally hashes built on hashes, that are secure to like “No, I can go back to the point of commits, where whatever code I’m running was authored, and made sure that that’s the actual thing I’m running, is the thing that they committed.” How does this tie into that?

It’s a piece to the puzzle. And if you go and take a look at OpenSSF, then there’s a whole bunch of other projects there which are related to how we have things flowing through the software supply chain, and how we can attest to the security of them, and measure that. So things like software bill of materials, and signing artifacts, and stuff like that come into play with some of the other projects… But when we look at the scorecard itself, I think it kind of directly relates to [unintelligible 00:41:36.26] in two ways. So we were just talking about dependency pinning. That’s one of the things that it’s pushing you to do. That’s pinning against shards, not just against semvers. So you’re absolutely stating that “This is intended to work with that particular version of a dependency.” The problem with that is it creates a whole bunch of toil.

[00:41:58.27] Dependencies are changing under our feet at a frightening pace. Something like Python Cryptography - I think I’ve seen four bumps to that in the last week or so… And it’s followed a pattern of – so there’s been two CVEs, where it’s become a known vulnerability to be stuck on the old version, because there’s been buffer overflows or whatever. But then there’s then been a sort of follow-up patch of “Oh yeah, that security fix broke something else for a whole bunch of corner cases that our tests weren’t covering before now, but people complained, and we’ve figured out what was going wrong, and so there’s another patch. We’ve now fixed the tests as well.” So this stuff can be fast-moving, and staying on top of it is a bunch of work.

The other way it kind of relates to the supply chain is what Autumn was talking about earlier - as you’re choosing things that you’re going to depend on, if you’re seeing the scorecard there, then that’s giving you a measure of the quality of attention being paid to security in that project. And so if you do have a choice - and quite often, when we’re picking packages, there may be very little choice; you find the one package that does the thing, and everybody’s depending on that. But other cases, you do have a choice, and that might be one of the things that leans you one way or the other.

You mentioned a couple of things there, on this being a piece of the puzzle, where looking at this test output I don’t see anything about signed artifacts, and I don’t see anything about some of those other things that are more downstream, because this is focused strictly on the repository, how’s the repository managed, and how the code is managed, not necessarily how we’re distributing artifacts. So there’s different tooling, and different ways that we should be verifying that outside of what the scorecard is going to do.

So signed artifacts is absolutely one of the checks. And this is a little tool that got published in the last week or so from one of the Linux Foundation folk, where you can point it at your scorecard and it’ll show you a radar plot of the different scores and where they came from. And so signed artifacts is in there. That’s one of the places that our repos sort of zeros at the moment, because most of them we’re not signing artifacts. And we’re not doing that because in many cases there’s not actually a mature, signed artifact consumption mechanism on the other side of that to actually make it worthwhile doing for the consumer perspective of the artifact.

So things like Python artifact signing is actually at the maturity where it’s worth doing, and somebody might actually be implementing checking the signatures… But something like Dart - that’s less of a thing in that ecosystem at the moment. So not quite as relevant.

Yeah, if we kind of look at both sides of it here, are you looking at the dependencies coming in and the quality of those, and then you’re looking at what you’re creating and how that might be somebody else’s dependency, and the level of assurance that you can pass into that next link in the chain.

And I probably don’t have any sort of signing in my output, because I have no artifacts, I’m guessing… We can skip over some of those tests if we’re not actually consuming, or – yeah, it’s like “Yeah, let’s not run that.”

I also think that’s interesting though, because especially when - they always say that startups and innovations and new things are built when tech is in a downturn. And I wonder if things like this, where we’re talking about best practices and how you said there’s no mature tool on the other side - I wonder if that also starts innovation. Like “Hey, people notice we don’t have something for this. Let’s go build it.” Or if that kind of influences that kind of when we see holes for use cases and problems, and then we go make solutions for them.

[00:45:53.01] There’s so much happening in that space at the moment. And it all, to an extent, flows from an executive order. And I know there was many years of work done by some dedicated practitioners in the security space to get to the executive order in the first place. But now there’s an executive order mandating federal agencies to get a software bill of materials with the software that they’re requiring. The purpose of that is really to draw attention to known vulnerabilities in software that’s being acquired by the federal government. But of course, the people doing this applying here are having to step up and create the mechanics to create those software bills of material. And then there’s also a whole bunch of tooling arriving so that you can look into your software bill of material and see what are the known vulnerabilities. And maybe there weren’t any yesterday, but there could be today, so [unintelligible 00:46:45.08] already known stuff in your environment.

And I think sophisticated organizations are already starting to implement processes and tools around consuming that stuff… But it is so early days. So for the bulk of the industry, it’s going to be years before this is commonplace. But it will come, and there’s a whole bunch of work to be done to make it happen across the huge variety of programming languages, and infrastructure, and frameworks and whatever else we’ve got out there.

I think what you were mentioning before too, where this isn’t all positive things necessarily. This does add more toil, this does add more things that you have to maintain… And you shouldn’t jump into that toil until you need it, or are required to have it sometimes, where it’s like “Hey, if I’m going to pin all of my dependencies, and now I have 10 more PRs a day or a week from my dependencies all shifting and changing, and I need to update and test those things, I can’t actually build new things into my product. I’m just gonna be maintaining it, and maintaining the scorecard forever.” Knowing when and how you should adopt those things is important, and the federal government having a bill of materials and knowing where their software comes is a very good example of “You know what, I would love to, for some of my tax dollars, to go into them knowing what they’re running.” And that’s okay for me, to say “Actually, that toil is necessary and a good improvement on knowing at least known vulnerabilities, and the places they’re getting their software will meet some minimum bar of they’re not running a Bash scheduler in their Kubernetes clusters.” I sure hope not. I have no scorecard… And those sorts of things are – and it’s really important to know how it’s being consumed, and where it’s actually important.

But yeah, for something like my personal repos, where I’m just like “Actually, I don’t think I want to pin this, because I’m okay if it breaks. I don’t have an SLA, and I’m not getting paid for this code. It’s just me to experiment and learn and put something out there to share.” That is okay to not have a scorecard.

See, I think I’m almost the opposite. I’m like “I want to put this on everything, so then I can learn –” You know, I just love reading about security and post mortems, but then now I’m just like “I can actually figure out how all these things work in context.” When you get to work in software, you work in your realm of software, and you don’t always get exposed to other things. So it’s so fun finding ways to expose yourself to ways that other people are using this to actually build things, but on a level where you can play with it on the weekends and that night, you know what I mean? So I think this is almost fun, because I can go implement that and be like “Oh, that’s what this does in real life”, more than just reading about it in the book.

I have been archiving a whole bunch of my repos, because I just got sick of the maintenance. And I think it becomes one of those things of you have to be conscious about “These are the active projects, and I’m actually going to keep on going with the toil on them. And these are the ones where it was interesting at a point in time, but I’m ready to move on from that particular experiment.” And when you archive the repo, of course it’s still there, but it’s kind of just setting the flag as if to say “No longer active. Don’t expect all of this to be up to date.”

[00:50:10.12] It closes issues, it closes all that, yeah. It’s just like to say “Hey, if you really like this, you’re welcome to the thing that I created.” I’m reading the book “Working in public” right now. I’m almost through with it, and one of the things that they point out in there which I find really fascinating is that software in general - it doesn’t take me more money to make an extra copy for it. Anyone can go consume the code without needing to do anything. No bits are coming from my brain for them to be able to consume that. But what does cost me money is my attention. And when they leave comments, or issues, or pull requests, and especially if those things aren’t necessarily meeting a certain standard of formatting, like they didn’t format the code, or they didn’t give me the logs… That takes more for me to reproduce, and then my attention is a finite amount of thing that exists that’s kind of attached to that code in some way, where it’s like “I learned this years ago, but it’s not something that I can keep giving attention to, because I can’t keep giving attention to the toys that I bought when I was five years old.” Sometimes you have to give those things away at a garage sale… And at some point, my code is going through the same stages, where it’s like “You know what, I played with that enough, I learned enough from it. Now I need someone else, if they want it. I can’t give any more attention to it.” And I find that really fascinating, how they point that out in the book, about just like “Hey, this is the expensive thing in these code repos and how they exist, because yeah, software/the bits we can replicate over and over again, without costing anything.” But once you start pulling attention from the maintainers, or from the people who write it, or do anything around the project, that attention is finite for people, and you have to really guard that.

It’s also part of the culture of software though, because we’re always like – this is the only job that you do your job for fun on the weekends. You know what I mean? It’s just expected that you build projects all weekend, and that you’re constantly – like, how many people have bought domains, created things, and at some point, where do you get that work/life balance? Or just kind of like, when do you decide that you’re done with that project?

But it’s not just software though, right? Because I thought I was gonna be a mechanic my entire life. I love cars. I was working on cars, and I would work on cars on the weekend. I would go – I’d get paid to work on cars, and then I’d go home and I’d work on cars. And that’s what I liked doing. But I wasn’t publicly visible to people. I was like “I’m just spending time in my garage.” And that’s okay, because it is still my guarded area of like “I don’t have to answer questions to someone else.” In the book also they point out Christmas lights. In the United States it’s a big thing, you decorate the outside of your house for a holiday… Which is weird to kind of do, because you’re just like showing off. At some point “Oh, maybe this is a competition”, I don’t know. But someone can drive by my house, and they can look at my Christmas lights. And that’s okay. That’s what I want them to do.

Some people definitely make it a competition. Some people –

Absolutely. There’s lots of negatives and consumerism in that, but also, for me - I like how my house looks when it’s decorated. And I’m going to spend a day or half a day decorating my house. And then anyone that drives by, it’s free for them to look at. They can come – I want them to come drive by and see the cool thing that I created out of my creativity, and budget, and whatever, in my time. But at the end of the day, if they want me to make changes to it… Like, no one’s knocking on my door and says “Hey, can you get the bigger snowman next time?” Or “Can you move this light? Because I don’t like how that looks.” But that’s how software works. In open source, I put something out there and someone’s like “Actually, this flag is bad. Can you go change that for me?” No, this is not – this is mine. I decorated this, I built it, and I don’t really care to take outside contributions right now. But there is this assumption in open source that you can just go and do that, because you’re just like “Well, it’s open source. I’m gonna go add an issue and say “Please change this output to be something different, to fit my needs.” I’m like “No. Go fork it and do it yourself.” But no, that’s maintenance stuff for them. And they don’t want the maintenance, right? Because my house - no one has ever knocked on my door to say “Please change your lights.”

[00:54:08.29] It’s just like a different mindset of how we treat open source. And in this case, a scorecard gives them the visibility, like “I care about this thing.” I’m gonna do enough to provide this information to you of “Here’s the basics, and we do care about this. We’re going to try to improve it, or at least keep maintain this number.” We don’t ever want it probably to drop. But it does open it up enough for someone getting started to say “Hey, I actually want to contribute in this. I want to learn in this area. Would it be okay if I increased your score in these areas?” Or even just giving them a way to measure themselves against someone else. Like “Oh, that other repo has an eight. What would it take me to get to an eight? I don’t know. Let’s go look at that.” And it does give you that comparison as well, to know just a baseline of… I mean, grades at school are the same way. It’s like “Oh, I have straight Bs. Is that good? I don’t know. How many letters are in the alphabet? Is this out of 26 letters?” “No, it’s actually just five letters. We’re good. Just try to get the As next time.” And then this just gives you that sort of comparison level to let you try to improve, and to know where you’re not doing necessarily the best practices, or need some help.

I think it’s also such a cool learning opportunity, and a way for new people to get in. It’s so cool that you’re solving multiple problems; you’re solving the problem of better security, and giving that visibility and credit to motivate people to have better security… But you’re also kind of allowing an in for new people in this world that has a lot of gatekeeping. So it’s really cool that you’re solving multiple problems with one thing.

Yeah. And I think the other thing I’d throw in here is, as I’ve come to know some people in OpenSSF and the community around it, they’re just super-helpful, lovely folk, that are really interested in raising all the ships. So I think some parts of communities get a bad rap, but most of the ones that I have personally encountered have been fantastic. So we were talking a little about Flutter earlier… The Flutter or community is just lovely. So far my encounters with OpenSSF have been amazing. Nice people doing good work.

So if someone wants to get involved, where do they start?

I would suggest start at They can see Scorecards as one of the projects there, and that’ll take them into the Scorecards mini site, and that’s kind of got a guide on how to implement it, and whether you want to do sort of standalone with the command line tool, or go to the GitHub Action and make it an ongoing part of your repo.

How do you get involved with OpenSSF and the foundation? Because it sounds really cool.

So there’s, I suppose, two different ways there. So one is formally becoming a member of OpenSSF. And that works like so many of the other Linux Foundation projects. So it’s a very organizational approach, and if your organization’s already a member of Linux Foundation, then there’s a different price structure to if you’re just going in to join the OpenSSF.

There doesn’t seem to be an individual membership approach at the moment. That brings me into the sort of second area of it doesn’t really matter, because it’s a very open and welcoming community. So if you’ve got issues or PRs or other ways of contributing, the repos are there, and you can go along and do that. They don’t seem to be gatekeeping activities around OpenSSF to just people who work for organizations that are OpenSSF members. I’m getting involved next week in a webinar – not next week; the week after that. OpenSSF are doing it about the topic of Scorecard, and it’s a combination of customers of Scorecard like us, and then some of the people who’ve created and maintained it.

[00:57:58.12] Cool. And if people want to reach out to you online, where are you available?

So I can be found at And that’s kind of got links to all of my social media, and LinkedIn, and GitHub, and all that kind of stuff. And so yeah, I’m pretty easy to then kind of find a route through to. And of course, in amongst that I’ve done a few presentations about Scorecard. It’s very much focused on a practitioners’ approach. “What does it take to build the foundations within your organization, to do your first repo, and then to repeat that process across the other repos that you want to put Scorecards onto?”

Yeah, I could see this at a large enterprise or company being very political. There’s a lot of security tools, there’s a lot of people that want to focus on security, and there’s a lot of people that have strong opinions about security implementations. And I could see this as a starting point of if you don’t have good security practices, like “Hey, we should try this, because it’s open and it’s free for us to get started.” Free as in there’s no buy-in to use the tool. But not free as in it does take time. And being able to show off within your organization how that could work, but also maybe even pushing back on some of the more closed vendors that don’t provide anything like this, of like “You trust our tool to do all the scanning, and we give you a green checkbox inside of our dashboard, which isn’t publicly available or shareable.” And I’ve used plenty of security tools in the past that are very closed and guarded about their secrets of how they score things, and how you can improve those things, and not being able to share those things… And so I can see this as being an open approach of like “This information should be available to more people”, and you shouldn’t need a paid contract to be able to verify if this works in your repo, or with your languages or not.

I work with a lot of college students and military spouses learning how to code and kind of learning how to get into tech, and I wonder if Scorecards would be a nice way to teach them about securing their GitHub repos? Because I’m teaching Git classes, but I also wonder, are there any pathways for college kids to get involved in OpenSSF, or any other open source organizations that you’re like –

Oh, they’re absolutely are. There’s so many projects and so much work to be done… And so yeah, I’d encourage people to go and take a look there. There’s new stuff happening on an almost daily basis. And of course, an awful lot of toil behind it, which needs many hands to get to the work there. The other thing this gets you to is, when you’re doing this in your own repos, especially if you’ve got multiple ones, as you’re moving forward from that, you want to have good quality templates, that just have everything done already… But also, you want to have a repeatable config. Autumn, you were saying earlier “I want to get into TerraForm.” That’s your hook to get into TerraForm, because you can use TerraForm to have consistent good, config across all of your GitHub repos.

And that’s the general rule for most – like, a lot of things start as toil. We do them manually, we figure out the pattern, and then we make a template from it. And then we do the template over and over again, and then we automate the template, and then we abstract the template. That’s the general flow for anything in infrastructure and software. It’s just like “Hey, we’ve figured out the hard way to do it, we’ve figured out an easier way, that was repeatable”, and then we’re just like “Now we don’t really think about it anymore.” And at some point, hopefully some of this stuff just becomes abstracted away, like “Hey, this is just the defaults. If you don’t do this, it’d be surprising.” That eight score is not something you have to achieve anymore. If you drop below and eight, you’d probably did something very wrong, and we need to figure out how to get everyone to that level eight of like “Best practices are just best practices, and everything is defaulting to that.” So I think that’s really cool long-term.

Safe defaults. This is normal.

But it’s also teaching you best practices while you go through it, so it’s also a great learning opportunity at the same time. So it’s even better.

Especially right now, as it’s changing.

[01:02:08.05] That’s what I’m saying. So much has happened in infrastructure in the last four years. It’s wild how far we’ve come. So getting better best practices and better ways to set up your next project… I mean, there’s definitely a lot of value in that, you know?

Well, Chris, thank you so much for coming on the show today, and talking to us about OpenSSF Scorecards. Hopefully, anyone that’s interested wants to reach out to either you, or OpenSSF, they can get involved and try out the tool. Go run it. I just ran it during this podcast, and it’s super-quick, and it showed me that I don’t have any vulnerabilities in my Bash, but I can make some improvements still. And that’s kind of the goal, of being able to level up everyone on where they can improve, for especially areas that I didn’t realize maybe I need to do some more work in my repo. So thanks, Chris, for coming on, and we’ll talk to you again soon.

Thanks, folks.

Thanks, Chris.

Break: [01:03:02.02]

Alright, I thought that was a great interview with Chris. Thank you so much for coming on the show and telling us all about OpenSSF Scorecards. For today’s outro of Ship It - I’ve been making new outro segments every time, and I went into a rabbit hole last week of how things got named.

I just want you to know that I love your rabbit holes, and when you get excited about stuff. It makes me so happy.

Well, I started reading a blog post, and then I read comments, and then I started on Wikipedia, and I went on more Wikipedia links than I have in a long time. That Wikipedia hole was deep.

This is why we are the best ADHD friends.

So at some point, I just started writing notes, and I’m like “Okay, what does this mean?” And then I’m like “Okay, this is a game.” We’re gonna play a game, Autumn, and you’re gonna be the contestant, because I have all the answers.

Oh, I’m so excited.

And this game is called Person, Place, Thing, or Null. And we’re going to talk about different technologies, and you can decide –

I love that you came up with that cool name, too. I’m so proud of you.

You have to decide if this technology was named after a person, place, thing, or just made up, it wasn’t any of those things, or it was like another word, or term, or something that. Null’s a catch-all for the –

Well, I’m gonna suck at this game, but I’m here for it. Let’s do it.

It’s fun. So let’s talk about – just for an example, Linux. Linux, the operating system. That was named after Linus Torvalds. Right? He created it, and he named it. Do you know where the name of Git comes from?

It also comes from Linus. He created it. And it means a stupid person in British. Like, it’s slang for like an idiot.

Shut up…!

And he said he named it after himself. And so Linus also created Git, and then said he named it for himself. So the name Git comes from him, maybe for himself. So it’s kind of –

Do you think he really named it after himself, or do you think he was like “Look, [unintelligible 01:10:06.08]

Whatever the case may be, he claims that he named it after himself. And that’s a fun little tidbit there for people. So where does it something like the name Kubernetes come from?

I don’t know. I’m terrible at Kubernetes.

Do you want to guess? Person, place, thing, or null?

I guess it would be a thing, but it’s Greek for helmsmen.

Oh, I love that. I love when they mean services after – oh, but that makes sense, because of the little wheel; that’s so cute.

Now you get the logo. There you go.

That’s adorable.

So the interesting tidbit as well about Kubernetes and the wheel - the wheel has seven points on it, because the project name inside of Google was Seven of Nine, because they were a big Star Trek… Borg is their internal system…

See, this is why you have to teach me about Star Trek and frickin’ Star Wars, because I miss all this stuff.

So that’s a fun little tidbit of like why the wheel is the way it is. And it also – it’s like, it’s really hard to find a wheel that has seven points, because they’re ridiculous to me.

Why do I feel like you’ve probably tried to find one of these as a prop somewhere?

Maybe. Maybe not.


Let’s go to something that you might be a little more familiar with… MySQL. Person, place, thing or null?

Place. Or – no. Thing?

It’s a person. The person’s name is Michael Widenius, who created it. Or at least named it. So they actually named it “MySQL”, like their name, sequel. And my is actually their first name.

Interesting. I was thinking SQL would be something, not the “My”. So that’s cool.

I know. And that was the first time – I was just like “I had no idea” and “This is cool.” And so that’s where I started down this route. So here’s what we were talking about before the show recording - Venn diagram. Person, place, thing or null?

I still – like, I really want you to make a Venn diagram of nerds, because I feel like that could be a whole show… But okay. I feel like it was named after a person.

It was. John Venn. John Venn was the person that a Venn diagram was named after.

Who was that?!

[01:12:07.29] The person who created Venn diagrams. I didn’t get all the links out of it. I just wrote down…

Okay, but also, do you just wonder how he was sitting there, thinking about Venn diagrams one day?

Yeah, I wonder what train of thought led him down that path. How about a Trojan horse?

Isn’t Trojan named after the city that did it?

Exactly. It’s a place, Yes. It’s a named after Troy, where it happened. So a Trojan horse as a virus or something in your system is named after Troy, as the city. How about Bluetooth?

Thing, maybe?

It’s a person.


Harold Bluetooth was a king of Denmark.

Okay, there are some people with some very interesting names.

Yes, it turns out names are very interesting. What about Neon?

Let’s just say a person, because I don’t think it’s person.

It was from the Greek word for new.

We are a bunch of nerds in tech, huh? I love Greek mythology, and Greeks, all of that. So every time there’s a random service named after it, it makes me so excited.

I’m gonna do a couple more. These are fun. And I have such a big list right now… Okay, this one surprised me. Person, place, thing or null. Algorithms.


Yes. al-Khwarizmi. I’m sorry, the name is – I cannot. I’m just too white. But he was a Persian mathematician.

You are ridiculous! [laugh]

I’m trying. I literally was reading it, over and over again, in my head. I’m like “I’m gonna pronounce it right.”

I can’t read things in my head until it’s time for me to actually say it out loud, and then I’m like “Oh, my…”

Yeah. He was a Persian mathematician. Algebra was also named for him. But algorithms - he had a couple of big books about math, from a long, long time ago. So algorithms are named after him.

That’s interesting, because I always wondered if Algo was like – you know how they have biology, and then ology, and then like “the science of”…? I always wondered if there was an abbreviation – not an abbreviation, but what would you call it? Sort of like algo meant something like, scientific, or mathematic.

Oh, yeah. Alright, let’s do two more. Hadoop. Person, place, thing or null? Hadoop.


A thing. It was named after the inventors – one of his kids had a toy elephant, that was named Hadoop. That was his name, and so he named this –

That’s adorable.

…thing after his kid’s elephant toy.

Oh, that’s cute.

Okay, last one. Debian. Debian, the Linux distro.


Person. But actually, two people. People named Deb and Ian.

Oh, that’s cool!

So they have Debian. And fun fact about Debian is all of their releases are named after Toy Story characters. And so you have – so if you ever use Jesse, or all of these… All of their normal releases are named after characters, and then –

Do you ever hear something about someone, and you’re just like “I’d totally be their friend”? [laughter]

Yeah, we are immediate friends. I don’t know you, but we are friends. The unstable release of Debian is called Sid, for the neighbor that blows up toys.

Oh, my God. Okay, tell me how my kids could watch Nightmare Before Christmas and every creepy Disney show, but Sid was where they drew the line. They were like “This dude - no.” It took them years to watch Toy Story, and I’m like “That’s not even a scary show.” And he’s like “Did you see what they did to the doll?”

If you watch it now, the animation was so crude that it actually looks a little more scary to me, where I was like “Oh my gosh, it’s uncanny valley sort of scary”, because we look at what animation is now, which is like “Oh, that dog doesn’t have fur! It’s like a weird [unintelligible 01:16:01.26] thing.”

[01:16:05.15] There’s a lot of things I’m like “Actually, this scares me this. I get this.” So if anyone has other names for things, please send them; email us, shipit [at] changelog. Because I want to hear more of them. I have a list now, and we could redo this as a segment if we get more names.

Or post them in the comments. That’d be cool, too. We could reply to the comments.

Yes, that’s true. Leave a comment, whatever. If you also have people that you would to hear on the show, topics you’d like to hear on the show, go ahead and please email us, shipit [at] changelog, because we have a collection of people we’re talking to.

What’s your dream interviews? I feel like we need more space people.

More space people, yeah. Who do people want on the show? Who would be the number one – I want to hear what this infrastructure…

Like, what kind of industries would you – what is your jam? What would be your top industries that you really want to know more about?

I love embedded systems. I like hardware, and I would love to hear – the space episode was really cool, just because it was something far, far away. But also other systems like that, that are in environments where nothing should exist. Things deep sea, things in the desert, things that we’re just like “This has to exist for five years with no one ever touching it.” The systems that collects earthquakes. How are those maintained? Where do they run?

I love processes, and thinking about the unique problems… Because those are such unique problems that you have to solve for, but they’re abstract in a way, but they’re also very visual, in like a physical – you can think of like “Okay, this is going to be somewhere, and it’s going to have this problem.” And I just love the fact that you have to solve for those physical things, but with also software… So they’re satellites, but they’re going to be in space. But then also, I just think that’s so cool [unintelligible 01:17:55.18]

I have always loved when software interacts with the physical world. When bits and atoms, they get together and they’re like “We’re doing something together.” And it’s just like “Ah, I wrote something down, and it made –” The first time that I loved software is when I made an LED turn on. I typed something in a computer, and that light lit up.

Yes…! That’s why I love IoT, and that kind of stuff, because it’s that bridge between you get an IDE, and you make a bunch of stuff out of thin air, and then it affects the real world. And that is just like –

And electricity moves because I told it. That’s just it’s like “Ah…”

It’s like real magic in real life. You know, if you grew up thinking about Harry Potter, and all these magical things, and then all of a sudden it’s like software magic in real life… The first time your kids runs something in a code editor, and they see it work, and you’re just like “Yes! We’ve got them.”

Robotics is really fun, and there’s a lot of things like that, where it’s just like, I love how those things get together. The words I wrote over here…

I’m going to pay my life savings for my kid to go to a robotics camp, mostly because I couldn’t afford stuff like that when I was little… And I’m so jelly, dude. I’m like “Why don’t we have this for adults?”

An adults space camp would be amazing.

Oh my God, we have to start this space camp…!

Autumn, I have too many things going on. I’m not doing this. I’m just kidding.

[01:19:19.04] I know. We don’t have enough hours in the day already. But okay, but hear me out - space camp would be so much… Can you imagine me and you and a bunch of our nerd friends at our space camp? That’s it. We have to call Andrew, and be like “Andrew [unintelligible 01:19:30.10] We have an idea.”

Alright, thanks everyone for listening to the show. One last thing is the day you hear this - hopefully it’s not too late, but March 14th through 17th, Autumn and I are both going to be at the Southern California Linux Expo Scale in Pasadena, California. So if you are coming to Scale and want to say hi, Autumn and I are both giving talks there. We’re going to be around on – it goes over the weekend. It’s a great family-friendly event if you have kids; they have a game night on Saturday nights. They actually have a nerd Olympics this year…

Oh, my God. I’m so excited.

There’s a lot of fun things going on. And if you’re at Scale and want to say hi, please feel free to stop us. Yeah, we’d love to meet you in person.

We should record a Scale episode.

I’m trying to think of how we would do that, and if we want to do interviews for it, so we might have a Scale –

We should [unintelligible 01:20:21.25] That’d be so much fun…!

Yeah, a Scale episode… But also, I’m working, I’m one of the organizers for Scale and Kubernetes community day, so I have a lot of other things to do… So we’ll have to figure out how that fits in.

Stop having five jobs, Justin. We have to do fun nerd stuff.

That is fun nerd stuff. I get to volunteer for a Linux Expo, and that’s cool.

It is cool.

The eyeroll on that was…

But we have to have interviews, too.

Well, I’ll send you a microphone out and you can go start meeting all the cool people and just recording.

Also, we should go into the nerd Olympics. Oh my God, we can be a team. It’d be so much fun.

If you want to compete with us, I’m sorry; you will not get golds. We will win these events. Do you think the Nerd Olympics are going to have physical requirements?

I don’t know. The possibilities… I’m super-excited. It can go either way. I’m just excited to see what it is at this point.

I don’t remember all of the events, but I remember one of them was like a paper airplane contest; like, who can throw the paper airplane the farthest.

Okay, [unintelligible 01:21:27.19] at that. I’ve got three kids. I can do that.

There you go. One of them was rebuild a Lego model without the instructions… But the Lego model’s across the room, so you have to go run, look at it, go run to your table and build as fast as you can… And if you need to see it again, you’ve gotta go run back.

Oh my God, the kid that’s never been that great at sports - this is me right here. I’ve finally found my jam of Olympics.

The game night at Scale is pretty epic. So if you’ve never been to the Southern California Linux Expo before, I highly recommend it. I’ve been going for –

I feel like I’m going to the conference of my people, and I’m so [unintelligible 01:22:04.05]

It is my favorite conference to go to every year. It’s fun, it’s in Pasadena.

I’m so excited to meet you in real life. We’re going to be like nerd friends in real life together. It’s going to be so awesome!

It’s gonna be a good time. But yeah, if you are listening to this show and want to say hi, please stop us and do so, because we don’t know your face, and hopefully you’ll at least hear our voice. If you have to see my face, I’m sorry.

I’ll be the girl with way too many tech T-shirts and [unintelligible 01:22:31.09] It’s gonna be great.

Hopefully people will find you with that. But also, come to your talk and learn all about AI and data.

I both want them to come and want them not to come, because I’m really nervous. It’s gonna be great though.

Yes, it is gonna be great. So thanks everyone for listening, and we will be speaking at you next week. Thanks for joining, and hopefully see you soon.


Our transcripts are open source on GitHub. Improvements are welcome. 💚

Player art
  0:00 / 0:00