Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Charter Security WG #548

Closed
wants to merge 4 commits into from
Closed

Charter Security WG #548

wants to merge 4 commits into from

Conversation

@vdeturckheim
Copy link
Member

@vdeturckheim vdeturckheim commented Jun 1, 2018

This PR adds the Security WG as a chartered WG.
This probably can't be merged until nodejs/security-wg#295 is merged.

After this, is there anything else I should to to have this validated?

cc @mhdawson

* Define and maintain security policies and procedures for:
* the core Node.js project
* other projects maintained by the Node.js Foundation technical group
* Work with the node security project to bring community vulnerability data into

node -> Node.js?

Copy link
Member

@Trott Trott Jun 2, 2018

Perhaps unfortunately (but perhaps not), the Node Security Platform styles it Node and not Node.js. See https://medium.com/npm-inc/npm-acquires-lift-security-258e257ef639.

Although I think we still need a change: node security project -> Node Security Platform (assuming I'm right about this referring to Node Security Platform).

directly delegated to by the TSC).
* Define and maintain policies and procedures for the coordination of security
concerns within the external Node.js open source ecosystem.
* Offer help to npm package maintainers to fix high-impact security bugs

Missing period?

* the core Node.js project
* other projects maintained by the Node.js Foundation technical group
* the external Node.js open source ecosystem
* Promote improvement of security practices within the Node.js ecosystem

Missing period?

* other projects maintained by the Node.js Foundation technical group
* the external Node.js open source ecosystem
* Promote improvement of security practices within the Node.js ecosystem
* Recommend security improvements for the core Node.js project

Missing period?

@vsemozhetbyt
Copy link

@vsemozhetbyt vsemozhetbyt commented Jun 2, 2018

Copy link
Member

@mcollina mcollina left a comment

LGTM

Copy link
Member

@WaleedAshraf WaleedAshraf left a comment

Great job @vdeturckheim 👍
Can you also add a link to this section at the line in the reference above. #line247

the foundation as a shared asset.
* Set up processes and procedures and follow these to ensure the vulnerability
data is updated in an efficient and timely manner. For example, ensuring there
are well documented processes for reporting vulnerabilities in community
Copy link
Member

@WaleedAshraf WaleedAshraf Jun 2, 2018

well documented -> well-documented

include penetration testing, security reviews etc, review guidelines, coding
standards etc.
* Review and recommend processes for handling of security reports (but not the
actual handling of security reports, which are reviewed by a group of people
Copy link
Member

@WaleedAshraf WaleedAshraf Jun 2, 2018

nit: Maybe it's more clear to change handling -> administration ? Maybe not. 👍

modules.
* Work to set a high standard for the Node.js project. Possibly efforts could
include penetration testing, security reviews etc, review guidelines, coding
standards etc.
Copy link
Member

@WaleedAshraf WaleedAshraf Jun 2, 2018

Missing Comma standards etc. -> standards, etc.

are well documented processes for reporting vulnerabilities in community
modules.
* Work to set a high standard for the Node.js project. Possibly efforts could
include penetration testing, security reviews etc, review guidelines, coding
Copy link
Member

@WaleedAshraf WaleedAshraf Jun 2, 2018

Remove multiple etc.
security reviews etc -> security reviews

* the core Node.js project
* other projects maintained by the Node.js Foundation technical group
* the external Node.js open source ecosystem
* Promote improvement of security practices within the Node.js ecosystem
Copy link
Member

@WaleedAshraf WaleedAshraf Jun 2, 2018

Promote improvement -> Promote the improvement

@vdeturckheim
Copy link
Member Author

@vdeturckheim vdeturckheim commented Jun 4, 2018

Thanks for the reviews. I updated the doc.

Copy link
Member

@WaleedAshraf WaleedAshraf left a comment

LGTM

Copy link
Member

@mhdawson mhdawson left a comment

LGTM

@mhdawson
Copy link
Member

@mhdawson mhdawson commented Jun 6, 2018

@nodejs/tsc it would be good to get more approvals. Unless we get objections I'd plan to land 1 week from today.

@@ -434,6 +435,37 @@ Responsibilities include:
backporting changes to these branches.
* Define the policy for what gets backported to release streams.

### [Security](https://github.com/nodejs/security-wg)

The Security Working Group manages all aspects and process linked to security for Node.js.
Copy link
Contributor

@cjihrig cjihrig Jun 6, 2018

process -> processes

... and maybe...

security for Node.js -> Node.js security

* other projects maintained by the Node.js Foundation technical group
* Work with the Node Security Platform to bring community vulnerability data into
the foundation as a shared asset.
* Set up processes and procedures and follow these to ensure the vulnerability
Copy link
Contributor

@cjihrig cjihrig Jun 6, 2018

I think most of this first sentence could be dropped and start with "Ensure that the..."

data is updated in an efficient and timely manner. For example, ensuring there
are well-documented processes for reporting vulnerabilities in community
modules.
* Work to set a high standard for the Node.js project. Possibly efforts could
Copy link
Contributor

@cjihrig cjihrig Jun 6, 2018

I'd drop this bullet point.

Responsibilities include:
* Define and maintain security policies and procedures for:
* the core Node.js project
* other projects maintained by the Node.js Foundation technical group
Copy link
Contributor

@thefourtheye thefourtheye Jun 12, 2018

"Node.js Foundation technical group" - Does this mean TSC?

* Promote the improvement of security practices within the Node.js ecosystem.
* Recommend security improvements for the core Node.js project.
* Facilitate and promote the expansion of a healthy security service and product
provider ecosystem vulnerabilities.
Copy link
Contributor

@thefourtheye thefourtheye Jun 12, 2018

I couldn't wrap my head around this point. It makes sense without the 'vulnerabilities' at the end though.

@mhdawson
Copy link
Member

@mhdawson mhdawson commented Jun 20, 2018

Going to land as I believe I updated to address the remaining comments. @thefourtheye if I've not addressed your comments adequately just let me know and I'll open a PR to further refine.

mhdawson added a commit that referenced this issue Jun 20, 2018
PR-URL: #548
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
@mhdawson
Copy link
Member

@mhdawson mhdawson commented Jun 20, 2018

landed as b82207b

@mhdawson mhdawson closed this Jun 20, 2018
@Trott
Copy link
Member

@Trott Trott commented Jun 20, 2018

Website needs to be updated too at https://nodejs.org/en/about/working-groups/ if there's not already a PR for that. @nodejs/website

By the way, while adding stuff to that page, it might not be a terrible idea to take the time to alphabetize the list of working groups. It seems to be unordered.

@mhdawson
Copy link
Member

@mhdawson mhdawson commented Jun 20, 2018

PR to add minutes to website nodejs/nodejs.org#1708 including alphabetization.

ChALkeR added a commit to ChALkeR/security-wg that referenced this issue Aug 6, 2018
ChALkeR added a commit to ChALkeR/security-wg that referenced this issue Aug 6, 2018
ChALkeR added a commit to ChALkeR/security-wg that referenced this issue Aug 6, 2018
ChALkeR added a commit to ChALkeR/security-wg that referenced this issue Aug 6, 2018
bengl added a commit to nodejs/security-wg that referenced this issue Aug 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

8 participants