Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Charter Security WG #548

Closed
wants to merge 4 commits into from
Closed

Conversation

vdeturckheim
Copy link
Member

This PR adds the Security WG as a chartered WG.
This probably can't be merged until nodejs/security-wg#295 is merged.

After this, is there anything else I should to to have this validated?

cc @mhdawson

* Define and maintain security policies and procedures for:
* the core Node.js project
* other projects maintained by the Node.js Foundation technical group
* Work with the node security project to bring community vulnerability data into

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

node -> Node.js?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps unfortunately (but perhaps not), the Node Security Platform styles it Node and not Node.js. See https://medium.com/npm-inc/npm-acquires-lift-security-258e257ef639.

Although I think we still need a change: node security project -> Node Security Platform (assuming I'm right about this referring to Node Security Platform).

directly delegated to by the TSC).
* Define and maintain policies and procedures for the coordination of security
concerns within the external Node.js open source ecosystem.
* Offer help to npm package maintainers to fix high-impact security bugs

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing period?

* the core Node.js project
* other projects maintained by the Node.js Foundation technical group
* the external Node.js open source ecosystem
* Promote improvement of security practices within the Node.js ecosystem

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing period?

* other projects maintained by the Node.js Foundation technical group
* the external Node.js open source ecosystem
* Promote improvement of security practices within the Node.js ecosystem
* Recommend security improvements for the core Node.js project

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing period?

@vsemozhetbyt
Copy link

It seems this TOC also needs updating:
https://github.com/nodejs/TSC/blob/master/WORKING_GROUPS.md#current-working-groups

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link

@WaleedAshraf WaleedAshraf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job @vdeturckheim 👍
Can you also add a link to this section at the line in the reference above. #line247

the foundation as a shared asset.
* Set up processes and procedures and follow these to ensure the vulnerability
data is updated in an efficient and timely manner. For example, ensuring there
are well documented processes for reporting vulnerabilities in community

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well documented -> well-documented

include penetration testing, security reviews etc, review guidelines, coding
standards etc.
* Review and recommend processes for handling of security reports (but not the
actual handling of security reports, which are reviewed by a group of people

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Maybe it's more clear to change handling -> administration ? Maybe not. 👍

modules.
* Work to set a high standard for the Node.js project. Possibly efforts could
include penetration testing, security reviews etc, review guidelines, coding
standards etc.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing Comma standards etc. -> standards, etc.

are well documented processes for reporting vulnerabilities in community
modules.
* Work to set a high standard for the Node.js project. Possibly efforts could
include penetration testing, security reviews etc, review guidelines, coding

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove multiple etc.
security reviews etc -> security reviews

* the core Node.js project
* other projects maintained by the Node.js Foundation technical group
* the external Node.js open source ecosystem
* Promote improvement of security practices within the Node.js ecosystem

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Promote improvement -> Promote the improvement

@vdeturckheim
Copy link
Member Author

Thanks for the reviews. I updated the doc.

Copy link

@WaleedAshraf WaleedAshraf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mhdawson
Copy link
Member

mhdawson commented Jun 6, 2018

@nodejs/tsc it would be good to get more approvals. Unless we get objections I'd plan to land 1 week from today.

@@ -434,6 +435,37 @@ Responsibilities include:
backporting changes to these branches.
* Define the policy for what gets backported to release streams.

### [Security](https://github.com/nodejs/security-wg)

The Security Working Group manages all aspects and process linked to security for Node.js.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

process -> processes

... and maybe...

security for Node.js -> Node.js security

* other projects maintained by the Node.js Foundation technical group
* Work with the Node Security Platform to bring community vulnerability data into
the foundation as a shared asset.
* Set up processes and procedures and follow these to ensure the vulnerability
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think most of this first sentence could be dropped and start with "Ensure that the..."

data is updated in an efficient and timely manner. For example, ensuring there
are well-documented processes for reporting vulnerabilities in community
modules.
* Work to set a high standard for the Node.js project. Possibly efforts could
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd drop this bullet point.

Responsibilities include:
* Define and maintain security policies and procedures for:
* the core Node.js project
* other projects maintained by the Node.js Foundation technical group
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Node.js Foundation technical group" - Does this mean TSC?

* Promote the improvement of security practices within the Node.js ecosystem.
* Recommend security improvements for the core Node.js project.
* Facilitate and promote the expansion of a healthy security service and product
provider ecosystem vulnerabilities.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't wrap my head around this point. It makes sense without the 'vulnerabilities' at the end though.

@mhdawson
Copy link
Member

Going to land as I believe I updated to address the remaining comments. @thefourtheye if I've not addressed your comments adequately just let me know and I'll open a PR to further refine.

mhdawson pushed a commit that referenced this pull request Jun 20, 2018
PR-URL: #548
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
@mhdawson
Copy link
Member

landed as b82207b

@mhdawson mhdawson closed this Jun 20, 2018
@Trott
Copy link
Member

Trott commented Jun 20, 2018

Website needs to be updated too at https://nodejs.org/en/about/working-groups/ if there's not already a PR for that. @nodejs/website

By the way, while adding stuff to that page, it might not be a terrible idea to take the time to alphabetize the list of working groups. It seems to be unordered.

@mhdawson
Copy link
Member

PR to add minutes to website nodejs/nodejs.org#1708 including alphabetization.

ChALkeR added a commit to ChALkeR/security-wg that referenced this pull request Aug 6, 2018
ChALkeR added a commit to ChALkeR/security-wg that referenced this pull request Aug 6, 2018
ChALkeR added a commit to ChALkeR/security-wg that referenced this pull request Aug 6, 2018
ChALkeR added a commit to ChALkeR/security-wg that referenced this pull request Aug 6, 2018
bengl pushed a commit to nodejs/security-wg that referenced this pull request Aug 16, 2018
patrickm68 added a commit to patrickm68/security-wg-process that referenced this pull request Sep 14, 2023
mattstern31 added a commit to mattstern31/security-wg-process that referenced this pull request Nov 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

8 participants