From f85b3eab9b2da8bc9ae507d4077595d1a4949767 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 12 May 2023 10:35:05 +0200 Subject: [PATCH 1/2] docs: added meeting minutes 2023-05-11 related https://github.com/nodejs/security-wg/issues/977 --- meetings/2023-05-11.md | 66 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 meetings/2023-05-11.md diff --git a/meetings/2023-05-11.md b/meetings/2023-05-11.md new file mode 100644 index 00000000..53d3a5d3 --- /dev/null +++ b/meetings/2023-05-11.md @@ -0,0 +1,66 @@ +# Node.js Security WorkGroup Meeting 2023-05-11 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=xtbjcbMjAvQ +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/977 +* **Minutes Google Doc**: https://docs.google.com/document/d/19rq7F__F3qSdW8v3CeACJ6LpWHLlnWZsTgJWVWUwltI/edit + +## Present + +* Security wg team: @nodejs/security-wg +Marco Ippolito @marco-ippolito +Thomas GENTILHOMME @fraxken +Ulises Gascon: @ulisesGascon + + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [ ] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - Waiting for OpenSSL release +- [ ] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ +https://github.com/nodejs/security-wg/pull/981 + - No big changes. Just some organic changes for Undici + +### nodejs/security-wg + +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) + * Ulises: will merge and resolve the discussions for Entry-level PR: https://github.com/nodejs/security-wg/pull/954 + * Ulises will ask for permissions to push the changes to the OpenSSF project site + * We can start the discussion for silver-level in PR: https://github.com/nodejs/security-wg/pull/955 + * We have discussed if we can extend this to Undici as well +* Improve Node.js Scorecard [#929](https://github.com/nodejs/security-wg/issues/929) + * Ulises will update the report and remove it from the agenda +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + * Marco started to work in the path resolver in c++ +* Improve SecurityWG Scorecard [#884](https://github.com/nodejs/security-wg/issues/884) + * Ulises will update the report and remove it from the agenda + * We need to check how to get access to the security tab in Github for the Security WG team members. Ulises will create an issue about it +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * During the collaborators summit Rafael mentioned that there is room for the community to support this initiative with automations/tooling.. + * Ulises to discuss with Refael if we can create a task list/introduction in the next session so the community can pick pending actions and help us. +* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) + * It will be great to update the issue (as it is a reference) and update the pending actions and activities on going. +* Discussion about policy-integrity integration on Windows [#856](https://github.com/nodejs/security-wg/issues/856) + * No forum to discuss about it +* Automate updates of all dependencies [#828](https://github.com/nodejs/security-wg/issues/828) + * Marco has almost completed all the dependencies + * There is a discussion ongoing about this PR: https://github.com/nodejs/node/pull/47742. Your feedback is appreciated to unblock the discussion. + * Next step is to work in the regression so we can port the updated dependencies to the other Node.js versions available (16,18..). + * Marco will add more issues to the agenda for the next phase + +## Q&A, Other + + * Congratulations to the Security WG from the collaborators summit, there is a very positive feedback for the job we made the last months. + * Security is going to be a key part in Node.js for the following years. + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. + From dc7029a82b610742bd8f23bd5435bac4494a0a99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Fri, 12 May 2023 11:50:17 +0200 Subject: [PATCH 2/2] Update meetings/2023-05-11.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Tobias Nießen --- meetings/2023-05-11.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/meetings/2023-05-11.md b/meetings/2023-05-11.md index 53d3a5d3..8181f637 100644 --- a/meetings/2023-05-11.md +++ b/meetings/2023-05-11.md @@ -9,10 +9,9 @@ ## Present * Security wg team: @nodejs/security-wg -Marco Ippolito @marco-ippolito -Thomas GENTILHOMME @fraxken -Ulises Gascon: @ulisesGascon - + * Marco Ippolito @marco-ippolito + * Thomas GENTILHOMME @fraxken + * Ulises Gascon: @ulisesGascon ## Agenda