Reaching out to other projects of the OpenJS Foundation #511
Comments
|
One the CPC is established there will be representatives from each of the projects and it should be pretty easy. At this point @jorydotcom would be the best intermediary. It might be good to wait for the CPC to ramp up but if we want to start earlier than that then we could start by reaching out to Jory for contacts. |
|
@mhdawson thanks for the clarifications! Let's wait for the CPC indeed. |
|
@vdeturckheim in the interim I can sent an old-fashioned email to our old-fashioned JSF mailing list pointing folks to this repo! |
|
@jorydotcom thanks a lot! Let's discuss this in our next meeting! |
|
I am in 💪 |
|
Discussed at #541 , removing from agenda (but please add back if it should be discussed again). |
|
This was mentioned in the CPC meeting today in the context of openjs-foundation/cross-project-council#326. I think its the right time to discuss/make a decision on what we think is best. @nodejs/security-wg what are your thoughts? I'm thinking it would make sense to have a group at the OpenJS level, and that the ecosystem triage might fit at that level as well. |
|
I think that's a good idea and perhaps that's an additional one on top of the Node.js one. Just a thought, but I figure that at that level there will be many project ecosystems and so processes and systems (i.e: H1) might vary. So to say, I don't think we'd be copy&pasting the Node.js Security WG to the OpenJS as-is. |
|
If I understand things correctly, the scope here is slightly different: for the Node.js ecosystem we are handling responsible disclosure to a large extent and for OpenJS right now we are more interested in having consistent policies across several high profile projects. Then helping those projects out from triage and disclosure perspective (as we do today for Node.js) would be the next step. |
|
Note that this program is already implicitly handling triage and disclosure for some of https://openjsf.org/projects/, because they are published to npmjs.com As I noted during the initial adoption of the nsp vuln DB, calling it a "node.js vuln DB" is inaccurate, since its scope is packages on npmjs.com, and while many of those packages run in node.js, many run in the browser, many are CLI tools that run in node.js but are only used for browser development, some only run in the browser, and a tiny minority aren't in js at all... |
|
@sam-github Thanks for calling this out, this is definitely true. |
|
Feedback from last sec-wg meeting: For this to move forward, it will need a champion, someone willing to follow up with the OpenJS foundation, and keep this moving forward. Do we have a volunteer? |
|
@sam-github @mhdawson I'm happy to help broadcast this group's meetings or generally put out a call for participation in the weekly update I send out to the projects email list. Also, we could encourage some discussion in the openjsf slack workspace. |
|
@jorydotcom I'd love to be a part of this. I already had a preliminary conversation about it with @mhdawson. I will reach out on Slack. |
|
There doesn't seem to be any topic to discuss live, so removed agenda. If folks want to champion this, they should get involved, it seems reasonable. |
|
I am already doing some work with the CPC but it's progressing very slowly, mostly due to my availability. I will report back when there is progress. For now we have a stage 0 proposal about security reporting for OpenJSF projects: |
|
Is it worth to create a new doc in |
|
Or perhaps link to process docs being worked on with the OpenJSF CPC? |
|
Yep, good enough too. |
|
I need to take one more action on the OpenJSF proposal. I will link to that proposal from our docs next week and close this issue then. |
|
@MarcinHoppe can we close the issue ? |
|
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
We should probably start to reach out to other projects in the Foundation to check which ones would be interested in building a larger security community around JavaScript.
Do we have any way to setup such discussion?
The text was updated successfully, but these errors were encountered: