From 22fe60f896a219ea83eef61773f230bd459534a8 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 3 Aug 2023 11:38:32 -0300 Subject: [PATCH] doc: add meeting minutes --- meetings/2023-08-03.md | 58 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 meetings/2023-08-03.md diff --git a/meetings/2023-08-03.md b/meetings/2023-08-03.md new file mode 100644 index 00000000..8f98cc60 --- /dev/null +++ b/meetings/2023-08-03.md @@ -0,0 +1,58 @@ +# Node.js Security team Meeting 2023-08-03 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=fJNDQz9sAQo&ab_channel=node.js +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1059 +* **Minutes Google Doc**: https://docs.google.com/document/d/1eLSRK2nKeEnWD1YcEjjROYgVOfuVRPupi7BS5kIMH4I/edit + +## Present + +* Security wg team: @nodejs/security-wg +* Marco Ippolito @marco-ippolito +* Rafael Gonzaga @RafaelGSS +* Michael Dawson @mhdawson +* Ulises Gascon @ulisesgascon +* Ruy Adorno @ruyadorno + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting. + +- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + * Wait NVD database to be fixed - Ref: https://github.com/vehemont/nvdlib/issues/26 + +- [X] OpenSSF Scorecard Monitor Review + - Last report: https://github.com/nodejs/security-wg/pull/1066 + - Organic improvements due SAST analysis and variations based on increasing/decreasing unreviewed changesets + - Ulises will apply stepsecurity auto-prs to all the repos in the org + - We will focus on monitoring from now on using the issue generated. + +### nodejs/security-wg + +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * No progress. Just for visibility. + * Marco is investigating this initiative. + +* Initiative for CII-Best-Practices for Node.js Projects [#953](https://github.com/nodejs/security-wg/issues/953) + * Ulises will ask TSC for final approval in silver level + * Ulises will prepare the next step: gold level to be reviewed by the team following the previous process. + +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + * Discussion around https://github.com/nodejs/security-wg/issues/1039. We agreed to follow option 2 (array/multiple flags) + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * OSSF Funding approved by TSC (no objections until the end of the week) + * OSSF is approved the budget is no objections are presented before the end of the week + +* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.