Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: meeting minutes for 2024-10-21 #34

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: meeting minutes for 2024-10-21 #34

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions meetings/2024-10-21.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# Express Security WG Meeting 2024-10-21


## Links

* **Recording**: No recording
* **GitHub Issue**: https://github.com/expressjs/security-wg/issues/32
* **Minutes Google Doc**: https://docs.google.com/document/d/1Vh5T7BFexQcVhTT0b07kATunt-XDcUhhguQzheg8rUk/edit?tab=t.0

## Present

* Ulises Gascón (@UlisesGascon)
* Carlos Serrano (@carpasse)
* Tobias Heldt (@0xAverageUser)
* Chris de Almeida (@ctcpip)


## Agenda

## Announcements

* Blog post soon about the Security audit performed: https://github.com/expressjs/expressjs.com/pull/1657
* Participation in the Security Program Standards [#33](https://github.com/expressjs/security-wg/issues/33)
* We will discuss it soon with Adam in the following meetings
* Express will be the first project participating here and we will provide useful feedback to the foundation
* If anyone want to lead the initiative, please let us know

### expressjs/security-wg

* Proposal: Move scorecards into a single repo [#31](https://github.com/expressjs/security-wg/issues/31)
* Explore if this is feasible, currently seems like there are some features that requires the workflow to run in the repository like the branch rules detection
* Tobias is willing to help
* the idea here will be to review the scorecard scoring in every monthly meeting
* Discussion around supply chain (for us):
* How deep do we want to track out dependencies?
* We might want to focus on the licenses first?
* Proposal: add repository security advisory #30
* We are ok to enable it, but we want to do it at org level and once the security policy is updated
* We need to update the security policy to include a email (mail alias). Currently we are working with the foundation into this.
* Discussion around https://osv.dev/
* Update information about the latest security updates [#29](https://github.com/expressjs/security-wg/issues/29)
* No time to discuss
* Meeting next week? [#28](https://github.com/expressjs/security-wg/issues/28)
* No time to discuss
* Socket.dev reports on all our repos [#17](https://github.com/expressjs/security-wg/issues/17)
* No time to discuss
* OSTIF Audit for Express [#6](https://github.com/expressjs/security-wg/issues/6)
* No time to discuss
* Express.js Threat Model [#3](https://github.com/expressjs/security-wg/issues/3)
* No time to discuss
* Implementing OSSF Scorecard [#2](https://github.com/expressjs/security-wg/issues/2)
* No time to discuss
* Express.js Security WG Initiatives 2024 [#1](https://github.com/expressjs/security-wg/issues/1)
* No time to discuss




## Q&A, Other

* We need to automate the issue creation with the agenda items.

## Upcoming Meetings

* **Node.js Project Calendar**: <https://calendar.google.com/calendar/embed?src=linuxfoundation.org_fuop4ufv766f9avc517ujs4i0g%40group.calendar.google.com>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.