Charter Security WG #548
Charter Security WG #548
Conversation
WORKING_GROUPS.md
Outdated
| * Define and maintain security policies and procedures for: | ||
| * the core Node.js project | ||
| * other projects maintained by the Node.js Foundation technical group | ||
| * Work with the node security project to bring community vulnerability data into |
There was a problem hiding this comment.
Perhaps unfortunately (but perhaps not), the Node Security Platform styles it Node and not Node.js. See https://medium.com/npm-inc/npm-acquires-lift-security-258e257ef639.
Although I think we still need a change: node security project -> Node Security Platform (assuming I'm right about this referring to Node Security Platform).
WORKING_GROUPS.md
Outdated
| directly delegated to by the TSC). | ||
| * Define and maintain policies and procedures for the coordination of security | ||
| concerns within the external Node.js open source ecosystem. | ||
| * Offer help to npm package maintainers to fix high-impact security bugs |
WORKING_GROUPS.md
Outdated
| * the core Node.js project | ||
| * other projects maintained by the Node.js Foundation technical group | ||
| * the external Node.js open source ecosystem | ||
| * Promote improvement of security practices within the Node.js ecosystem |
WORKING_GROUPS.md
Outdated
| * other projects maintained by the Node.js Foundation technical group | ||
| * the external Node.js open source ecosystem | ||
| * Promote improvement of security practices within the Node.js ecosystem | ||
| * Recommend security improvements for the core Node.js project |
|
It seems this TOC also needs updating: |
There was a problem hiding this comment.
Great job @vdeturckheim 👍
Can you also add a link to this section at the line in the reference above. #line247
WORKING_GROUPS.md
Outdated
| the foundation as a shared asset. | ||
| * Set up processes and procedures and follow these to ensure the vulnerability | ||
| data is updated in an efficient and timely manner. For example, ensuring there | ||
| are well documented processes for reporting vulnerabilities in community |
There was a problem hiding this comment.
well documented -> well-documented
WORKING_GROUPS.md
Outdated
| include penetration testing, security reviews etc, review guidelines, coding | ||
| standards etc. | ||
| * Review and recommend processes for handling of security reports (but not the | ||
| actual handling of security reports, which are reviewed by a group of people |
There was a problem hiding this comment.
nit: Maybe it's more clear to change handling -> administration ? Maybe not. 👍
WORKING_GROUPS.md
Outdated
| modules. | ||
| * Work to set a high standard for the Node.js project. Possibly efforts could | ||
| include penetration testing, security reviews etc, review guidelines, coding | ||
| standards etc. |
There was a problem hiding this comment.
Missing Comma standards etc. -> standards, etc.
WORKING_GROUPS.md
Outdated
| are well documented processes for reporting vulnerabilities in community | ||
| modules. | ||
| * Work to set a high standard for the Node.js project. Possibly efforts could | ||
| include penetration testing, security reviews etc, review guidelines, coding |
There was a problem hiding this comment.
Remove multiple etc.
security reviews etc -> security reviews
WORKING_GROUPS.md
Outdated
| * the core Node.js project | ||
| * other projects maintained by the Node.js Foundation technical group | ||
| * the external Node.js open source ecosystem | ||
| * Promote improvement of security practices within the Node.js ecosystem |
There was a problem hiding this comment.
Promote improvement -> Promote the improvement
|
Thanks for the reviews. I updated the doc. |
|
@nodejs/tsc it would be good to get more approvals. Unless we get objections I'd plan to land 1 week from today. |
WORKING_GROUPS.md
Outdated
|
|
||
| ### [Security](https://github.com/nodejs/security-wg) | ||
|
|
||
| The Security Working Group manages all aspects and process linked to security for Node.js. |
There was a problem hiding this comment.
process -> processes
... and maybe...
security for Node.js -> Node.js security
WORKING_GROUPS.md
Outdated
| * other projects maintained by the Node.js Foundation technical group | ||
| * Work with the Node Security Platform to bring community vulnerability data into | ||
| the foundation as a shared asset. | ||
| * Set up processes and procedures and follow these to ensure the vulnerability |
There was a problem hiding this comment.
I think most of this first sentence could be dropped and start with "Ensure that the..."
WORKING_GROUPS.md
Outdated
| data is updated in an efficient and timely manner. For example, ensuring there | ||
| are well-documented processes for reporting vulnerabilities in community | ||
| modules. | ||
| * Work to set a high standard for the Node.js project. Possibly efforts could |
There was a problem hiding this comment.
I'd drop this bullet point.
WORKING_GROUPS.md
Outdated
| Responsibilities include: | ||
| * Define and maintain security policies and procedures for: | ||
| * the core Node.js project | ||
| * other projects maintained by the Node.js Foundation technical group |
There was a problem hiding this comment.
"Node.js Foundation technical group" - Does this mean TSC?
WORKING_GROUPS.md
Outdated
| * Promote the improvement of security practices within the Node.js ecosystem. | ||
| * Recommend security improvements for the core Node.js project. | ||
| * Facilitate and promote the expansion of a healthy security service and product | ||
| provider ecosystem vulnerabilities. |
There was a problem hiding this comment.
I couldn't wrap my head around this point. It makes sense without the 'vulnerabilities' at the end though.
|
Going to land as I believe I updated to address the remaining comments. @thefourtheye if I've not addressed your comments adequately just let me know and I'll open a PR to further refine. |
PR-URL: #548 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
|
landed as b82207b |
|
Website needs to be updated too at https://nodejs.org/en/about/working-groups/ if there's not already a PR for that. @nodejs/website By the way, while adding stuff to that page, it might not be a terrible idea to take the time to alphabetize the list of working groups. It seems to be unordered. |
|
PR to add minutes to website nodejs/nodejs.org#1708 including alphabetization. |
Refs: nodejs/TSC#548 Refs: nodejs#368 Fixes: nodejs#365
Refs: nodejs/TSC#548 Refs: nodejs#368 Fixes: nodejs#365
Refs: nodejs/TSC#548 Refs: #368 Fixes: #365
8 participants
This PR adds the Security WG as a chartered WG.
This probably can't be merged until nodejs/security-wg#295 is merged.
After this, is there anything else I should to to have this validated?
cc @mhdawson