New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Charter Security WG #548
Charter Security WG #548
Conversation
WORKING_GROUPS.md
Outdated
* Define and maintain security policies and procedures for: | ||
* the core Node.js project | ||
* other projects maintained by the Node.js Foundation technical group | ||
* Work with the node security project to bring community vulnerability data into |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
node
-> Node.js
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps unfortunately (but perhaps not), the Node Security Platform styles it Node
and not Node.js
. See https://medium.com/npm-inc/npm-acquires-lift-security-258e257ef639.
Although I think we still need a change: node security project
-> Node Security Platform
(assuming I'm right about this referring to Node Security Platform).
WORKING_GROUPS.md
Outdated
directly delegated to by the TSC). | ||
* Define and maintain policies and procedures for the coordination of security | ||
concerns within the external Node.js open source ecosystem. | ||
* Offer help to npm package maintainers to fix high-impact security bugs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing period?
WORKING_GROUPS.md
Outdated
* the core Node.js project | ||
* other projects maintained by the Node.js Foundation technical group | ||
* the external Node.js open source ecosystem | ||
* Promote improvement of security practices within the Node.js ecosystem |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing period?
WORKING_GROUPS.md
Outdated
* other projects maintained by the Node.js Foundation technical group | ||
* the external Node.js open source ecosystem | ||
* Promote improvement of security practices within the Node.js ecosystem | ||
* Recommend security improvements for the core Node.js project |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing period?
It seems this TOC also needs updating: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job @vdeturckheim 👍
Can you also add a link to this section at the line in the reference above. #line247
WORKING_GROUPS.md
Outdated
the foundation as a shared asset. | ||
* Set up processes and procedures and follow these to ensure the vulnerability | ||
data is updated in an efficient and timely manner. For example, ensuring there | ||
are well documented processes for reporting vulnerabilities in community |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well documented
-> well-documented
WORKING_GROUPS.md
Outdated
include penetration testing, security reviews etc, review guidelines, coding | ||
standards etc. | ||
* Review and recommend processes for handling of security reports (but not the | ||
actual handling of security reports, which are reviewed by a group of people |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Maybe it's more clear to change handling
-> administration
? Maybe not. 👍
WORKING_GROUPS.md
Outdated
modules. | ||
* Work to set a high standard for the Node.js project. Possibly efforts could | ||
include penetration testing, security reviews etc, review guidelines, coding | ||
standards etc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing Comma standards etc.
-> standards, etc.
WORKING_GROUPS.md
Outdated
are well documented processes for reporting vulnerabilities in community | ||
modules. | ||
* Work to set a high standard for the Node.js project. Possibly efforts could | ||
include penetration testing, security reviews etc, review guidelines, coding |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove multiple etc
.
security reviews etc
-> security reviews
WORKING_GROUPS.md
Outdated
* the core Node.js project | ||
* other projects maintained by the Node.js Foundation technical group | ||
* the external Node.js open source ecosystem | ||
* Promote improvement of security practices within the Node.js ecosystem |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Promote improvement
-> Promote the improvement
Thanks for the reviews. I updated the doc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@nodejs/tsc it would be good to get more approvals. Unless we get objections I'd plan to land 1 week from today. |
WORKING_GROUPS.md
Outdated
@@ -434,6 +435,37 @@ Responsibilities include: | |||
backporting changes to these branches. | |||
* Define the policy for what gets backported to release streams. | |||
|
|||
### [Security](https://github.com/nodejs/security-wg) | |||
|
|||
The Security Working Group manages all aspects and process linked to security for Node.js. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
process -> processes
... and maybe...
security for Node.js -> Node.js security
WORKING_GROUPS.md
Outdated
* other projects maintained by the Node.js Foundation technical group | ||
* Work with the Node Security Platform to bring community vulnerability data into | ||
the foundation as a shared asset. | ||
* Set up processes and procedures and follow these to ensure the vulnerability |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think most of this first sentence could be dropped and start with "Ensure that the..."
WORKING_GROUPS.md
Outdated
data is updated in an efficient and timely manner. For example, ensuring there | ||
are well-documented processes for reporting vulnerabilities in community | ||
modules. | ||
* Work to set a high standard for the Node.js project. Possibly efforts could |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd drop this bullet point.
WORKING_GROUPS.md
Outdated
Responsibilities include: | ||
* Define and maintain security policies and procedures for: | ||
* the core Node.js project | ||
* other projects maintained by the Node.js Foundation technical group |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Node.js Foundation technical group" - Does this mean TSC?
WORKING_GROUPS.md
Outdated
* Promote the improvement of security practices within the Node.js ecosystem. | ||
* Recommend security improvements for the core Node.js project. | ||
* Facilitate and promote the expansion of a healthy security service and product | ||
provider ecosystem vulnerabilities. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't wrap my head around this point. It makes sense without the 'vulnerabilities' at the end though.
Going to land as I believe I updated to address the remaining comments. @thefourtheye if I've not addressed your comments adequately just let me know and I'll open a PR to further refine. |
PR-URL: #548 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
landed as b82207b |
Website needs to be updated too at https://nodejs.org/en/about/working-groups/ if there's not already a PR for that. @nodejs/website By the way, while adding stuff to that page, it might not be a terrible idea to take the time to alphabetize the list of working groups. It seems to be unordered. |
PR to add minutes to website nodejs/nodejs.org#1708 including alphabetization. |
Refs: nodejs/TSC#548 Refs: nodejs#368 Fixes: nodejs#365
Refs: nodejs/TSC#548 Refs: nodejs#368 Fixes: nodejs#365
Refs: nodejs/TSC#548 Refs: #368 Fixes: #365
This PR adds the Security WG as a chartered WG.
This probably can't be merged until nodejs/security-wg#295 is merged.
After this, is there anything else I should to to have this validated?
cc @mhdawson