Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated security team to reflect the status quo #1102

Merged
merged 2 commits into from
Nov 8, 2021
Merged

Conversation

mcollina
Copy link
Member

cc @nodejs/tsc

New volunteers would be highly welcomed.

@richardlau
Copy link
Member

This should match https://github.com/orgs/nodejs/teams/security-triage/members (see the ncu-team-sync markers for syncing the list via node-core-utils).

@mcollina
Copy link
Member Author

Then could somebody else take care of this update? Thanks :).

@mcollina
Copy link
Member Author

@nodejs/tsc I've put this in the agenda.

@Trott
Copy link
Member

Trott commented Oct 18, 2021

This should match https://github.com/orgs/nodejs/teams/security-triage/members (see the ncu-team-sync markers for syncing the list via node-core-utils).

Additionally, nodejs security-triage should match nodejs-private security-triage and it does not. I'll take care of this.

@Trott
Copy link
Member

Trott commented Oct 18, 2021

I'll take care of this.

Ooof, actually, yeah, let's discuss this at the meeting. There are some discrepancies that may not be trivial to resolve.

@Trott
Copy link
Member

Trott commented Oct 18, 2021

Update is in #1105, but perhaps let's keep this open so that we can discuss the following at the TSC meeting (or in the private segment):

  • Are there people on the triage list that should be removed?
  • We need more triagers. How do we make that happen?
  • Automatically updating the last list in the file will add the Trail of Bits folks. Is that OK?
    • Some Trail of Bits folks have not accepted their GitHub team invitations and/or HackerOne invitations. is that OK?
  • The list of random-ish folks who have perma-access...seems like an anti-pattern that gets us into trouble with having a bazillion people with access, none of whom use or need it. Let's delete it and that whole idea, yeah?

@mhdawson
Copy link
Member

The list of random-ish folks who have perma-access...s

I think we should break this out so that it's clear which people have access as TSC members and which are for another reason. We should probably then review that list at least quarterly to remove people who are not active. I think there are number of people who should be removed tat this point.

@mhdawson
Copy link
Member

I'll add that my main reason for not agreeing we should just delete the whole idea is that we need to figure out how to better enable people to contribute to the security side of the work versus just having TSC members be the ones with access.

@Trott
Copy link
Member

Trott commented Oct 19, 2021

@mhdawson I didn't communicate as clearly as I could have. The random-ish list is referring specifically to "These non-TSC and TSC Emeriti also have access:". That list and entire concept needs to be removed.

That doesn't remove non-TSC people. It just removes a random "we're leaving these people on because we like them" list. People not on the TSC can (and should) still be on the triage list above that list, for example.

@Trott
Copy link
Member

Trott commented Oct 19, 2021

Oh, wait, I see. The one list I'm talking about is HackerOne specific, while the other one is nodejs private repo. This is a mess. It's out of date and will never be properly maintained until we automate it.

@Trott Trott merged commit dbfa672 into main Nov 8, 2021
@Trott Trott deleted the mcollina-patch-1 branch November 8, 2021 05:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants