Skip to content

doc: add meeting notes 2023-02-16 #878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 16, 2023
Merged

doc: add meeting notes 2023-02-16 #878

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 73 additions & 0 deletions meetings/2023-02-16.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
# Node.js Security WorkGroup Meeting 2023-02-16

## Links

* **Recording**: https://www.youtube.com/watch?v=HAqMRXb9aw4
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/877

## Present

* Security wg team: @nodejs/security-wg
* Ulises Gascon: @ulisesGascon
* Thomas GENTILHOMME: @fraxken
* Rafael Gonzaga: @RafaelGSS
* Zb Tenerowicz: @naugtur
* Marco Ippolito @marco-ippolito
* Michael Dawson @mhdawson
* Lee Holmes
* Bradley Farias @bmeck
* Iago Calazans
* Robert Wait

## Agenda

## Announcements

Working on the next security Release, probably it will released today

*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting.

- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
- NPM Vulnerability (discussed in the past) will be patched in the next release

### nodejs/security-wg

* Discussion about policy-integrity integration on Windows [#856](https://github.com/nodejs/security-wg/issues/856)
* Robert Waite and Lee Holmes lead the discussion
* They have been reviewing the policy integrity for Win machines
* Attack vector: An attacker that has access to the target system (compromise infra or similar scenarios) can modify a file and update the policy and CLI argument invocation with the new Hash and reboot the Node.js process.
* Prototype that uses detached signature to sign policy, with cert trusted by the systems policy system
* There is a potential PR ready with the changes suggested
* Discussions about possible implementations
* Overlap with Single Binary Application effort

* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
* DraftPR created https://github.com/nodejs/node-core-utils/pull/665
* Additional PR to be created for landing node in the private repository

* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859)
* Demo for the security recommendations generated by the code scanning
* Demo for the Github Action to generate reports collecting scorecard results
* PR to be submitted with a new Pipeline to check scores for Nodejs and Undici
* ask to enable code scanning in Undici
* Add OSSF Scorecard [#851](https://github.com/nodejs/security-wg/issues/851)

* Automate updates of all dependencies [#828](https://github.com/nodejs/security-wg/issues/828)
* Marco has been working on the nghttp2 automation

* Permission Model [#791](https://github.com/nodejs/security-wg/issues/791)
* Good news! Permission Model is ready to go (technically)
* Waiting for CI unlock to trigger another CI
* Need to address/answer Tobias comment first

### nodejs/nodejs-dependency-vuln-assessments

* Recursive support on Node.js dependencies [#89](https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/89)

## Q&A, Other

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.