doc: add meeting notes 2023-03-02 (#900)

nodejs · Mar 4, 2023 · 1a58d47 · 1a58d47
1 parent 38118ac
commit 1a58d47
Showing 1 changed file with 76 additions and 0 deletions.
diff --git a/meetings/2023-03-02.md b/meetings/2023-03-02.md
@@ -0,0 +1,76 @@
+# Node.js  Security WorkGroup Meeting 2023-03-02
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=Y6PoSQe-No0&ab_channel=node.js
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/897
+* **Minutes Google Doc**: https://docs.google.com/document/d/1a52brWbICOR-H7MlxGf_cNEyhINTM4wHXfaGMd98pPM/edit
+
+## Present
+
+* Security wg team: @nodejs/security-wg
+* Rafael Gonzaga: @RafaelGSS
+* GENTILHOMME Thomas: @fraxken
+* Marco Ippolito: @marco-ippolito
+* Carlos Ayala: @CarlossAyala
+* Bradley Farias: @bmeck
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+
+### nodejs/security-wg
+
+* Improve SecurityWG Scorecard #884
+  * It’s a good-first-issue for newcomers
+  * We can also enable dependabot to submit PRs to address those issues
+  * We've also adjusted to require pull request before landing code to main in order to improve your score (didn't work)
+
+* Automate security release process #860
+  * Nothing change since last week.
+  * Draft PR open, there is work to be done
+
+* Assessment against best practices (OpenSSF Scorecards ...) #859
+  * The task was completed.
+  * We’ll keep it in the agenda until next meeting
+  * The remaining topics should be discussed in their own issue, similar to #884.
+
+* Add OSSF Scorecard #851
+
+* Discussion about policy-integrity integration on Windows #856
+  * Bradley: Need to find a location for determining policy to load for a given application/entry-point for their hardened node binary.
+  * Rafael: Can we create a draft PR for something?
+  * Bradley: We could make 2 flags, 1 to require a policy file, 1 to require the sidecar file but unlikely to ever be used w/o the OS integration or hardened node forms.
+
+* Automate updates of all dependencies #828
+  * llhttp was merged
+  * openssl was merged
+  * nghttp2 was merged
+  * We’ll cover all the updates for the main branch and then think about the other active release lines
+
+* Permission Model #791
+  * Concluded.
+
+* Permission Model - Roadmap - https://github.com/nodejs/security-wg/issues/898
+  * https://docs.google.com/document/d/1y_o9WjagX-TYUcxqfvecYi4x65v9bsSd6Sb-P3Cc4F4/view#heading=h.tors2xd8bhfj
+    * Bradley: strong disagreement on putting in package.json - E.G. updating a CLI could be privilege escalation, conflicts due to per package vs process level permissions, admin may want to limit package that has telemetry for example which would put it as separate from package.json
+    * Could have package.json inform / create the permissions JSON in other well known location
+    * Beware of fall through attacks etc. as in policy location doc above
+  * Brainstorming around net permissions (iptables, eBPF)
+
+### nodejs/nodejs-dependency-vuln-assessments
+
+* Recursive support on Node.js dependencies #89
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+