Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: add minutes for meeting 17 dec 2018 #104

Merged
merged 5 commits into from Jan 2, 2019
Merged

doc: add minutes for meeting 17 dec 2018 #104

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
30edf78
doc: add minutes for meeting 17 dec 2018
mhdawson Dec 17, 2018
53d167c
Squash: fix recording link
mhdawson Dec 17, 2018
0a2b68f
squash: address comments
mhdawson Jan 2, 2019
3d7cc58
Address comments.
wesleytodd Jan 2, 2019
ccff1e1
Address comments
Eomm Jan 2, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
143 changes: 143 additions & 0 deletions meetings/2018-12-17.md
View file
Open in desktop
@@ -0,0 +1,143 @@
# Node.js Foundation Package Maintenance Team Meeting 2018-12-17

## Links

* **Recording**: [Package Maintenance Team meeting - Dec 17th](https://www.youtube.com/watch?v=2tvt_vIxQJI)
* **GitHub Issue**: https://github.com/nodejs/package-maintenance/issues/91

## Present
* Glenn Hinks (@ghinks)
* Matteo Collina (@mcollina)
* David Harris (@sympatheticmoose)
* Benjamin Lupton (@balupton)
* Rick Markins (@rkmarks)
* Joel Chen (@jchip)
* Wes Todd (@wesleytodd)
* Michael Dawson( @mhdawson)
* Ankur Oberoi (@aoberoi)
* Antonio Gonzalez (@bluesockets)
* Viktor Vershanskij (@wentout)
* Pavel Vostrikov (@vostrik)
* Dominykas Blyžė (@dominykas)
* Potham (@potham)
* Jordan Harband (@ljharb)
* Manuel Spigolon (@eomm)
## Agenda

## Announcements

*Extracted from **package-maintenance-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.

* Agree on standard meeting process
* Agreed to follow usual Node.js meeting process

* Discuss recurring meeting times
* Use this time as one of the 2 time slots
* Joel - Second meeting is a good idea.
* Michael will open a second doodle to choose a second time slot that favors different timezone
than the first one.

* Review initial goals and identify first steps

* Glen, one of the biggest challenges, often there is not a process for how people
can get onboarded to help.

* LJHarb - many people have signed up to join, key thing is to figure out different member
categories. Identifying people who want to participate in group management versus being
involved in specific initiatives. “Package maintenance” means so much to everybody need to
focus on some specific things. Would be useful to document what initial focus we have.

* Matteo, don’t believe there will be as much contention as there is in the modules team.
We should start with governance that is closer to the groups of the other Node.js WGs.
Would find out from friendlies (Node.js collaborators, or those who are close to Node.js)
where there are problems and test those on some specific projects. Learn as we go along.

* Ankur - not sure what the problems are we should figure that out first. Believes actual problem
is that person who stepped up was not trusted. What would we do with the list.

* Joel, popular want to help authors with transfer.

* Wes - on the trust front. That is a really slippery front. Figuring out who can help in certain
situations. More effective approach would be to manage, notify

* Benjamin - from original goals, nothing specific about improving security.
* suggested things to work on:
* improve maintenance so node upgrades happen quicker, and package version upgrade
quicker, leaving less old versions exposed
* improve maintenance processes, to ease the burden, so more packages are maintained
* prevent attack vectors of unmaintained packages being exploited from accidental security
vulnerabilities - what are these vectors? outdated dependencies
* prevent attack vectors of popular packages being exploited from intentional security
vulnerabilities - what are these vectors? malicious dependencies
* how to reduce the damage of these attack vectors

* Wes - restricting what package can do is not something we should focus on. Does not make
maintaining them easier.

* Edgar - do we have a dashboard that shows problems are starting to occur and look at how to
aggregate data around the problems? To observer patterns.

* Antonio - as a package maintainer, more information about security/trust for a module would
be helpful.

* Ankur, would a best practice guide be bad because it would be a false sense of security. My
opinion is that providing some guidance does improve the situation.

* Wes, if people wanted to take that on then it is useful, but work to keep up to date and
relevant.

* Updated list of starting goals
* Define and document how to prioritize which packages are key to the
Node.js ecosystem and how/what assistance can/should be provided.
One of the key aspects of this is understanding what communication
channels we need in order to be able to identify when specific
issues are slowing migration from one Node.js version to another
or causing friction in the ecosystem in some other way.

* Building and documenting guidance, tools and processes that
businesses can use to identify packages on which they depend,
and then to use this information to be able to build a business
case that supports their organization and developers helping to
maintain those packages.

* Documenting a backlog and providing resources that help
businesses identify how their developers can ramp up and
get engaged to help. Test and validate a workflow by helping
with some issues that are slowing migration to Node.js 10.x.

* Building, documenting and evangelizing guidance, tools and
processes (for example LTS for modules)
that make it easier for maintainers to manage multiple
streams and accept help from those who depend on their module.

* Onboarding to enable people to get engaged with the work under this effort.

* Process to get sub-teams working

* Extending Canary in the Gold mine.

* Agreed next steps

* Defining so key packages and friendlies - Express ecosystem
* Wes to open issue to get this started [#105](https://github.com/nodejs/package-maintenance/issues/105)

* Defining the problems. (Matteo)
* Matteo to open issue to get this started

* Best practices (Edgar/Rick/Michael)
* Edgar/Rick/Michael to open issue to get this started.

## Q&A, Other

Ben: How come we don’t use google doc formatting?

Ben: Something like this (the below image) seems to be the overlaps / focus of the groups, correct?


## Upcoming Meetings

* **Node.js Foundation Calendar**: https://nodejs.org/calendar

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.