Security-wg: Update on Node.js Security Working Group

Created on 28 Dec 2017  路  10Comments  路  Source: nodejs/security-wg

I thought it would be good to write a blog post on what is currently happening within this working group and projects that you might need help on. It can be a reflection on what you've achieved in 2017 and main goals/projects you are focusing on as we kick off 2018. What does this group think? And if you like this idea, who would like to be interviewed for this blog post? I would also have you review it before we post on the Node.js Foundation and Node.js Collection Medium page. I would imagine it would be similar in format to this TSC post with a forward by someone in this group and then an explanation on what you worked on in 2017, what you are doing now and where you need help: https://medium.com/the-node-js-collection/the-current-state-of-implementation-and-planning-for-esmodules-a4ecb2aac07a

security-wg-agenda

Most helpful comment

If a post gets written, I think at least a few things to be included are:

Things that have already been done.

Things being discussed / worked on.

I'm not sure what others might think, but that seems like a good start for a status blog post to me.

All 10 comments

If a post gets written, I think at least a few things to be included are:

Things that have already been done.

Things being discussed / worked on.

I'm not sure what others might think, but that seems like a good start for a status blog post to me.

Thanks @cjihrig I think I can probably get something going based on this. We've covered the ^Lift news a bit, has anything changed or been updated since they donated the project to NF? Also are any of the items listed above something that was worked on in 2017? Trying to highlight last year or the most recent progress. This question is open to others as well.

We've covered the ^Lift news a bit, has anything changed or been updated since they donated the project to NF?

I don't think so. It's just useful for setting a timeline.

Also are any of the items listed above something that was worked on in 2017?

Yes, all of them (except the initial donation) happened in 2017.

I think the donation was announced in 2016 and finalized in 2017?

It was announced in 2016. We got the data dump in 2017. I'm not sure what went on behind the scenes between the two times.

We might also mentioned that we clarified the expectations on members of the security group in terms of information disclosure.

I think @vdeturckheim would be a good person to interview on the process for handling third party vulnerabilities. I'm happy to chime in on the CNA process and the processes mentioned in the last bullet point from @cjihrig suggestions.

I planned to write articles about our processes. It might be a good occasion to do so!

@vdeturckheim were you thinking of adding any of the 2018 goals within this article or better to do two separate articles? If two separate articles, could we set up a quick call this week, so I can pick your brain about the items that Colin mentioned above? I want to make sure I understand everything. Once I type it up, I'll have this group edit, before we post.

@ZibbyKeaton we might want to write more than one articles here. I'm totally in for a call this week.
What day is the best for you?

Was this page helpful?
0 / 5 - 0 ratings