Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add meeting notes 2023-03-02 #900

Merged
merged 1 commit into from
Mar 4, 2023
Merged

doc: add meeting notes 2023-03-02 #900

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions meetings/2023-03-02.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# Node.js Security WorkGroup Meeting 2023-03-02

## Links

* **Recording**: https://www.youtube.com/watch?v=Y6PoSQe-No0&ab_channel=node.js
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/897
* **Minutes Google Doc**: https://docs.google.com/document/d/1a52brWbICOR-H7MlxGf_cNEyhINTM4wHXfaGMd98pPM/edit

## Present

* Security wg team: @nodejs/security-wg
* Rafael Gonzaga: @RafaelGSS
* GENTILHOMME Thomas: @fraxken
* Marco Ippolito: @marco-ippolito
* Carlos Ayala: @CarlossAyala
* Bradley Farias: @bmeck

## Agenda

## Announcements

*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.

- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues

### nodejs/security-wg

* Improve SecurityWG Scorecard #884
* It’s a good-first-issue for newcomers
* We can also enable dependabot to submit PRs to address those issues
* We've also adjusted to require pull request before landing code to main in order to improve your score (didn't work)

* Automate security release process #860
* Nothing change since last week.
* Draft PR open, there is work to be done

* Assessment against best practices (OpenSSF Scorecards ...) #859
* The task was completed.
* We’ll keep it in the agenda until next meeting
* The remaining topics should be discussed in their own issue, similar to #884.

* Add OSSF Scorecard #851

* Discussion about policy-integrity integration on Windows #856
* Bradley: Need to find a location for determining policy to load for a given application/entry-point for their hardened node binary.
* Rafael: Can we create a draft PR for something?
* Bradley: We could make 2 flags, 1 to require a policy file, 1 to require the sidecar file but unlikely to ever be used w/o the OS integration or hardened node forms.

* Automate updates of all dependencies #828
* llhttp was merged
* openssl was merged
* nghttp2 was merged
* We’ll cover all the updates for the main branch and then think about the other active release lines

* Permission Model #791
* Concluded.

* Permission Model - Roadmap - https://github.com/nodejs/security-wg/issues/898
* https://docs.google.com/document/d/1y_o9WjagX-TYUcxqfvecYi4x65v9bsSd6Sb-P3Cc4F4/view#heading=h.tors2xd8bhfj
* Bradley: strong disagreement on putting in package.json - E.G. updating a CLI could be privilege escalation, conflicts due to per package vs process level permissions, admin may want to limit package that has telemetry for example which would put it as separate from package.json
* Could have package.json inform / create the permissions JSON in other well known location
* Beware of fall through attacks etc. as in policy location doc above
* Brainstorming around net permissions (iptables, eBPF)

### nodejs/nodejs-dependency-vuln-assessments

* Recursive support on Node.js dependencies #89

## Q&A, Other

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.