Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Node.js Security team Meeting 2023-11-09 #1146

Closed
mhdawson opened this issue Nov 6, 2023 · 5 comments
Closed

Node.js Security team Meeting 2023-11-09 #1146

mhdawson opened this issue Nov 6, 2023 · 5 comments
Assignees

Comments

@mhdawson
Copy link
Member

mhdawson commented Nov 6, 2023

Time

UTC Thu 09-Nov-2023 15:00 (03:00 PM):

Timezone Date/Time
US / Pacific Thu 09-Nov-2023 07:00 (07:00 AM)
US / Mountain Thu 09-Nov-2023 08:00 (08:00 AM)
US / Central Thu 09-Nov-2023 09:00 (09:00 AM)
US / Eastern Thu 09-Nov-2023 10:00 (10:00 AM)
EU / Western Thu 09-Nov-2023 15:00 (03:00 PM)
EU / Central Thu 09-Nov-2023 16:00 (04:00 PM)
EU / Eastern Thu 09-Nov-2023 17:00 (05:00 PM)
Moscow Thu 09-Nov-2023 18:00 (06:00 PM)
Chennai Thu 09-Nov-2023 20:30 (08:30 PM)
Hangzhou Thu 09-Nov-2023 23:00 (11:00 PM)
Tokyo Fri 10-Nov-2023 00:00 (12:00 AM)
Sydney Fri 10-Nov-2023 02:00 (02:00 AM)

Or in your local time:

Links

Agenda

Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.

nodejs/security-wg

  • Amir from ostif.org - Discuss possibility of consulting engagement with security expert in November/December at 2023-11-09 3pm Security-WG meeting #1145
  • Have a SBOM for Node.js? #1115
  • License checker process/script #1104
  • Audit build process for dependencies #1037
  • Initiative for CII-Best-Practices for Nodejs Projects #953
  • Permission Model - Roadmap #898

Invited

  • Security wg team: @nodejs/security-wg

Observers/Guests

Notes

The agenda comes from issues labelled with security-wg-agenda across all of the repositories in the nodejs org. Please label any additional issues that should be on the agenda before the meeting starts.

Joining the meeting

https://zoom.us/j/92309450775

  • link for participants: <>
  • For those who just want to watch We stream our conference call straight to YouTube so anyone can listen to it live, it should start playing at https://www.youtube.com/c/nodejs+foundation/live when we turn it on. There's usually a short cat-herding time at the start of the meeting and then occasionally we have some quick private business to attend to before we can start recording & streaming. So be patient and it should show up.
  • youtube admin page: https://www.youtube.com/my_live_events?filter=scheduled
@mhdawson mhdawson self-assigned this Nov 6, 2023
@marco-ippolito
Copy link
Member

Maybe we will have to skip this meeting since we will be all travelling from NodeConf
Cc @prabhu

@RafaelGSS
Copy link
Member

FYI @Amir-Montazery, it is likely this meeting will be cancelled due to most of us attending NodeConfEU.

@Amir-Montazery
Copy link

Ok, thank you Rafael! Regardless of whether this meeting gets cancelled or not, I'll have some more info for the group in the coming days.

@Amir-Montazery
Copy link

I'll be ready for the 11/23 meeting. I will provide more information as soon as possible, I am waiting on an update and should have it this week.

@Amir-Montazery
Copy link

Here's what we have in mind for the node.js security work for December. It will require minimal input and time commitment from existing developers. I will have more info at the 11/23 meeting. See below:

There are currently two projects integrated into OSS-Fuzz which are targeting code of nodejs:

The llhttp project is doing well and has been for a long time: https://introspector.oss-fuzz.com/project-profile?project=llhttp

The Nodejs has been broken for a long time and the fuzzer of it is not running. It makes sense to make sure the Nodejs project gets back to running and also update the fuzzer accordingly as well as extend the setup. The fuzzer for the Nodejs project in OSS-Fuzz is the fuzzer in the Node codebase here: https://github.com/nodejs/node/tree/main/test/fuzzers. Note that it was David Korczynski who did the initial work for getting Node into OSS-Fuzz, so he's familiar with the existing work from that perspective.

Another improvement that has happened in OSS-Fuzz the last year has been improved support for javascript fuzzing. As such, we will be looking at applying this on the Nodejs codebase as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants