-
-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: meeting minutes for 2024-10-21
closes #32
- Loading branch information
1 parent
c952ac6
commit 87279c1
Showing
1 changed file
with
67 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| # Express Security WG Meeting 2024-10-21 | ||
|
|
||
|
|
||
| ## Links | ||
|
|
||
| * **Recording**: No recording | ||
| * **GitHub Issue**: https://github.com/expressjs/security-wg/issues/32 | ||
| * **Minutes Google Doc**: https://docs.google.com/document/d/1Vh5T7BFexQcVhTT0b07kATunt-XDcUhhguQzheg8rUk/edit?tab=t.0 | ||
|
|
||
| ## Present | ||
|
|
||
| * Ulises Gascón (@UlisesGascon) | ||
| * Carlos Serrano (@carpasse) | ||
| * Tobias Heldt (@0xAverageUser) | ||
| * Chris de Almeida (@ctcpip) | ||
|
|
||
|
|
||
| ## Agenda | ||
|
|
||
| ## Announcements | ||
|
|
||
| * Blog post soon about the Security audit performed: https://github.com/expressjs/expressjs.com/pull/1657 | ||
| * Participation in the Security Program Standards [#33](https://github.com/expressjs/security-wg/issues/33) | ||
| * We will discuss it soon with Adam in the following meetings | ||
| * Express will be the first project participating here and we will provide useful feedback to the foundation | ||
| * If anyone want to lead the initiative, please let us know | ||
|
|
||
| ### expressjs/security-wg | ||
|
|
||
| * Proposal: Move scorecards into a single repo [#31](https://github.com/expressjs/security-wg/issues/31) | ||
| * Explore if this is feasible, currently seems like there are some features that requires the workflow to run in the repository like the branch rules detection | ||
| * Tobias is willing to help | ||
| * the idea here will be to review the scorecard scoring in every monthly meeting | ||
| * Discussion around supply chain (for us): | ||
| * How deep do we want to track out dependencies? | ||
| * We might want to focus on the licenses first? | ||
| * Proposal: add repository security advisory #30 | ||
| * We are ok to enable it, but we want to do it at org level and once the security policy is updated | ||
| * We need to update the security policy to include a email (mail alias). Currently we are working with the foundation into this. | ||
| * Discussion around https://osv.dev/ | ||
| * Update information about the latest security updates [#29](https://github.com/expressjs/security-wg/issues/29) | ||
| * No time to discuss | ||
| * Meeting next week? [#28](https://github.com/expressjs/security-wg/issues/28) | ||
| * No time to discuss | ||
| * Socket.dev reports on all our repos [#17](https://github.com/expressjs/security-wg/issues/17) | ||
| * No time to discuss | ||
| * OSTIF Audit for Express [#6](https://github.com/expressjs/security-wg/issues/6) | ||
| * No time to discuss | ||
| * Express.js Threat Model [#3](https://github.com/expressjs/security-wg/issues/3) | ||
| * No time to discuss | ||
| * Implementing OSSF Scorecard [#2](https://github.com/expressjs/security-wg/issues/2) | ||
| * No time to discuss | ||
| * Express.js Security WG Initiatives 2024 [#1](https://github.com/expressjs/security-wg/issues/1) | ||
| * No time to discuss | ||
|
|
||
|
|
||
|
|
||
|
|
||
| ## Q&A, Other | ||
|
|
||
| * We need to automate the issue creation with the agenda items. | ||
|
|
||
| ## Upcoming Meetings | ||
|
|
||
| * **Node.js Project Calendar**: <https://calendar.google.com/calendar/embed?src=linuxfoundation.org_fuop4ufv766f9avc517ujs4i0g%40group.calendar.google.com> | ||
|
|
||
| Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. |