security-wg icon indicating copy to clipboard operation
security-wg copied to clipboard
verified publisher icon nodejs

Collaborators Inactivity Policy Review

Open marco-ippolito opened this issue 1 year ago • 5 comments

Refs: https://github.com/nodejs/node/pull/52459 I believe it would be great to add this discussion to the agenda. We can have a look at the current policy for inactivity and elaborate an opinion.

cc @anonrig

marco-ippolito avatar Apr 17 '24 18:04 marco-ippolito

Yep, this is great! We can also extend the threat model a bit to explain how the roles in the organization can impact the final users in case of bad actors or human errors. It would be beneficial to document in simple terms all the measures we have in place to prevent this (as referenced here) and how the organization promotes individuals to those roles, etc.

I believe that from an external point of view, this might be an interesting topic to cover, especially when adopting Node.js, particularly in commercial companies.

UlisesGascon avatar Apr 18 '24 13:04 UlisesGascon

I would like to expand this discussion to a more sensitive role of Node.js organization: Releasers.

  • Is there a security concern about keeping inactive releaser keys in our machines?
  • Is the process of signing releases from a collaborator easily exploited?
  • Should we be more restrictive to the inactive limit for releasers? And what about security-triagge group?

cc/ @nodejs/releasers

RafaelGSS avatar Apr 18 '24 20:04 RafaelGSS

In terms of the suggested expantions, the intention was to look at it from a top level model (separate from our existing threat model) which would include all ways that supply chain security might be compromised and what we have in place already to address those concernts.. I think this would include all of the different roles we have in terms of access as well as people with no access at all. The top level view should help us understand the relative risks and were it might be best to focus our energy. One way to start might be to build the list of

  • classes instractructure that are used in the project (test machines, jenkins machnines, release machines etc.)
  • what having access to those classes of infrastructure would let people do
  • Different roles that give people different levels of access to those components
  • The projections/approaches we already have in place to mitigate risks

EDIT: which in part I meant to say all those suggestions are good ideas to include in the scope.

mhdawson avatar Apr 18 '24 22:04 mhdawson

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

github-actions[bot] avatar Jul 25 '24 00:07 github-actions[bot]

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

github-actions[bot] avatar Oct 24 '24 00:10 github-actions[bot]

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

github-actions[bot] avatar Jan 25 '25 00:01 github-actions[bot]

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

github-actions[bot] avatar Apr 26 '25 00:04 github-actions[bot]

https://github.com/nodejs/node/pull/52459 has been closed, we can close this too

marco-ippolito avatar Jun 09 '25 08:06 marco-ippolito