security-wg icon indicating copy to clipboard operation
security-wg copied to clipboard

Published 20 hours ago verified publisher icon nodejs

Reaching out to other projects of the OpenJS Foundation

Open vdeturckheim opened this issue 5 years ago • 23 comments

We should probably start to reach out to other projects in the Foundation to check which ones would be interested in building a larger security community around JavaScript.

Do we have any way to setup such discussion?

vdeturckheim avatar Apr 05 '19 15:04 vdeturckheim

One the CPC is established there will be representatives from each of the projects and it should be pretty easy. At this point @jorydotcom would be the best intermediary. It might be good to wait for the CPC to ramp up but if we want to start earlier than that then we could start by reaching out to Jory for contacts.

mhdawson avatar Apr 05 '19 15:04 mhdawson

@mhdawson thanks for the clarifications! Let's wait for the CPC indeed.

vdeturckheim avatar Apr 05 '19 15:04 vdeturckheim

@vdeturckheim in the interim I can sent an old-fashioned email to our old-fashioned JSF mailing list pointing folks to this repo!

jorydotcom avatar Apr 07 '19 20:04 jorydotcom

@jorydotcom thanks a lot! Let's discuss this in our next meeting!

vdeturckheim avatar Apr 08 '19 14:04 vdeturckheim

I am in 💪

christian-bromann avatar Apr 13 '19 14:04 christian-bromann

Discussed at #541 , removing from agenda (but please add back if it should be discussed again).

sam-github avatar Jun 17 '19 20:06 sam-github

related: https://github.com/openjs-foundation/cross-project-council/issues/326

sam-github avatar Oct 08 '19 16:10 sam-github

This was mentioned in the CPC meeting today in the context of openjs-foundation/cross-project-council#326. I think its the right time to discuss/make a decision on what we think is best.

@nodejs/security-wg what are your thoughts? I'm thinking it would make sense to have a group at the OpenJS level, and that the ecosystem triage might fit at that level as well.

mhdawson avatar Oct 08 '19 17:10 mhdawson

I think that's a good idea and perhaps that's an additional one on top of the Node.js one. Just a thought, but I figure that at that level there will be many project ecosystems and so processes and systems (i.e: H1) might vary. So to say, I don't think we'd be copy&pasting the Node.js Security WG to the OpenJS as-is.

lirantal avatar Oct 08 '19 17:10 lirantal

If I understand things correctly, the scope here is slightly different: for the Node.js ecosystem we are handling responsible disclosure to a large extent and for OpenJS right now we are more interested in having consistent policies across several high profile projects. Then helping those projects out from triage and disclosure perspective (as we do today for Node.js) would be the next step.

@mhdawson @lirantal Does it sounds reasonable?

MarcinHoppe avatar Oct 09 '19 08:10 MarcinHoppe

Note that this program is already implicitly handling triage and disclosure for some of https://openjsf.org/projects/, because they are published to npmjs.com

As I noted during the initial adoption of the nsp vuln DB, calling it a "node.js vuln DB" is inaccurate, since its scope is packages on npmjs.com, and while many of those packages run in node.js, many run in the browser, many are CLI tools that run in node.js but are only used for browser development, some only run in the browser, and a tiny minority aren't in js at all...

sam-github avatar Oct 09 '19 15:10 sam-github

@sam-github Thanks for calling this out, this is definitely true.

MarcinHoppe avatar Oct 09 '19 15:10 MarcinHoppe

Feedback from last sec-wg meeting: For this to move forward, it will need a champion, someone willing to follow up with the OpenJS foundation, and keep this moving forward. Do we have a volunteer?

sam-github avatar Dec 02 '19 16:12 sam-github

@sam-github @mhdawson I'm happy to help broadcast this group's meetings or generally put out a call for participation in the weekly update I send out to the projects email list. Also, we could encourage some discussion in the openjsf slack workspace.

jorydotcom avatar Feb 04 '20 18:02 jorydotcom

@jorydotcom I'd love to be a part of this. I already had a preliminary conversation about it with @mhdawson. I will reach out on Slack.

MarcinHoppe avatar Feb 05 '20 11:02 MarcinHoppe

There doesn't seem to be any topic to discuss live, so removed agenda.

If folks want to champion this, they should get involved, it seems reasonable.

sam-github avatar May 18 '20 15:05 sam-github

I am already doing some work with the CPC but it's progressing very slowly, mostly due to my availability. I will report back when there is progress.

For now we have a stage 0 proposal about security reporting for OpenJSF projects:

https://github.com/openjs-foundation/cross-project-council/pull/489

MarcinHoppe avatar May 19 '20 08:05 MarcinHoppe

Is it worth to create a new doc in processes/ folder to document progress which you can PR to as things progress and close this one?

lirantal avatar May 19 '20 08:05 lirantal

Or perhaps link to process docs being worked on with the OpenJSF CPC?

MarcinHoppe avatar May 19 '20 08:05 MarcinHoppe

Yep, good enough too.

lirantal avatar May 19 '20 17:05 lirantal

I need to take one more action on the OpenJSF proposal. I will link to that proposal from our docs next week and close this issue then.

MarcinHoppe avatar May 20 '20 08:05 MarcinHoppe

@MarcinHoppe can we close the issue ?

fraxken avatar Jul 17 '22 13:07 fraxken

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

github-actions[bot] avatar Oct 16 '22 00:10 github-actions[bot]