doc: add 2024-05-23 notes (#1320)

nodejs · May 27, 2024 · 8e30216 · 8e30216
1 parent 88d6d86
commit 8e30216
Showing 1 changed file with 94 additions and 0 deletions.
diff --git a/meetings/2024-05-23.md b/meetings/2024-05-23.md
@@ -0,0 +1,94 @@
+# Node.js  Security team Meeting 2024-05-23
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=btIW6eUqClw
+* **Minutes Google Doc**: https://github.com/nodejs/security-wg/issues/1316
+
+## Present
+
+* Rafael Gonzaga (@RafaelGSS)
+* Marco Ippolito (@marco-ippolito)
+* Michael Dawson (@mhdawson)
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  * Nothing new, but low sev OpenSSL vuln has been announced that should show up at some point
+- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
+  * Nothing to discuss this week
+
+### nodejs/security-wg
+
+* Initiatives 2024 votes [#1313](https://github.com/nodejs/security-wg/pull/1313)
+  * discussed results and updated initiatives on README.md
+
+* OpenSSF Scorecard Report Updated [#1312](https://github.com/nodejs/security-wg/pull/1312)
+  * will merge/close to pull in updates
+
+* Node.js Security Initiatives 2024 [#1255](https://github.com/nodejs/security-wg/issues/1255)
+  * covered under earlier discussion of #1313
+
+* Proposed approach for build steps in deps which are not in make node  [#1236](https://github.com/nodejs/security-wg/issues/1236)
+  * Next step is likely PR into nodejs/node, Michael will open PR
+* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs [#1159](https://github.com/nodejs/security-wg/issues/1159)
+  * waiting for the report
+  * discussion is happening in TSC issue as well.
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * nothing new, but plan to try building Undici with containers I built
+  * should also see if I can pull more people into
+
+* Brainstorm on maintainer threat model
+  * Threats
+    * Malicious code in Node.js codebase
+    * Malicious use of infrastructure
+    * Malicious links or content in website and/or documentation
+    * Substitution of Node.js binaries
+    * Malicious code in npm packages published by the project
+
+  * Levels of access
+    * external people
+    * maintainers
+    * Triagers
+    * build members
+    * TSC members
+    * Releasers
+    * Security stewards
+    * Security triagers
+    * different WG members
+    * GitHub actions
+    * Other external GitHub (other)  plugins
+
+  * Project resources
+    * GitHub
+            nodejs-private
+	nodejs org
+	pkgjs org
+    * npm account
+    * Youtube
+    * zoom
+    * Social media accounts
+    * Build infra
+      * Test machines
+      * release machines
+      * test CI
+      * release CI
+    * Website infra
+    * HackerOne
+    * Mitre
+    * email (nodejs-sec)
+    * email (iojs.org aliases)
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+