From 87279c12a3a621671e1e9ddd00a288b36c3a3b20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 21 Oct 2024 19:39:47 +0200 Subject: [PATCH] docs: meeting minutes for 2024-10-21 closes https://github.com/expressjs/security-wg/issues/32 --- meetings/2024-10-21.md | 67 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 meetings/2024-10-21.md diff --git a/meetings/2024-10-21.md b/meetings/2024-10-21.md new file mode 100644 index 0000000..c490038 --- /dev/null +++ b/meetings/2024-10-21.md @@ -0,0 +1,67 @@ +# Express Security WG Meeting 2024-10-21 + + +## Links + +* **Recording**: No recording +* **GitHub Issue**: https://github.com/expressjs/security-wg/issues/32 +* **Minutes Google Doc**: https://docs.google.com/document/d/1Vh5T7BFexQcVhTT0b07kATunt-XDcUhhguQzheg8rUk/edit?tab=t.0 + +## Present + +* Ulises Gascón (@UlisesGascon) +* Carlos Serrano (@carpasse) +* Tobias Heldt (@0xAverageUser) +* Chris de Almeida (@ctcpip) + + +## Agenda + +## Announcements + +* Blog post soon about the Security audit performed: https://github.com/expressjs/expressjs.com/pull/1657 +* Participation in the Security Program Standards [#33](https://github.com/expressjs/security-wg/issues/33) + * We will discuss it soon with Adam in the following meetings + * Express will be the first project participating here and we will provide useful feedback to the foundation + * If anyone want to lead the initiative, please let us know + +### expressjs/security-wg + +* Proposal: Move scorecards into a single repo [#31](https://github.com/expressjs/security-wg/issues/31) + * Explore if this is feasible, currently seems like there are some features that requires the workflow to run in the repository like the branch rules detection + * Tobias is willing to help + * the idea here will be to review the scorecard scoring in every monthly meeting + * Discussion around supply chain (for us): + * How deep do we want to track out dependencies? + * We might want to focus on the licenses first? +* Proposal: add repository security advisory #30 + * We are ok to enable it, but we want to do it at org level and once the security policy is updated + * We need to update the security policy to include a email (mail alias). Currently we are working with the foundation into this. + * Discussion around https://osv.dev/ +* Update information about the latest security updates [#29](https://github.com/expressjs/security-wg/issues/29) + * No time to discuss +* Meeting next week? [#28](https://github.com/expressjs/security-wg/issues/28) + * No time to discuss +* Socket.dev reports on all our repos [#17](https://github.com/expressjs/security-wg/issues/17) + * No time to discuss +* OSTIF Audit for Express [#6](https://github.com/expressjs/security-wg/issues/6) + * No time to discuss +* Express.js Threat Model [#3](https://github.com/expressjs/security-wg/issues/3) + * No time to discuss +* Implementing OSSF Scorecard [#2](https://github.com/expressjs/security-wg/issues/2) + * No time to discuss +* Express.js Security WG Initiatives 2024 [#1](https://github.com/expressjs/security-wg/issues/1) + * No time to discuss + + + + +## Q&A, Other + +* We need to automate the issue creation with the agenda items. + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.