Nominate Thomas Watson as WG member

[watson]

Hey @nodejs/security-wg,

I would like to join the Node.js Security Working Group.

I just started in a new position where I'll be primarily working with Node.js security and would, therefore, like to contribute to this WG. I hope to be able to contribute my time and energy into improving both the general security of Node.js and the security-related APIs.

I'm already a member of the Diagnostics WG.

/thomas

[cjihrig]

SGTM

[sam-github]

+1

[mhdawson]

LGTM

[MarcinHoppe]

👍

[lirantal]

Sounds great Thomas 👍

Would you want to join the 3rd Party Triage team or is this more about the processes and general security agenda of the WG?

[watson]

@lirantal Good question. I think it's probably easiest to first join without membership of the 3rd Party Triage team. My current goal for joining the WG is to participate in the WG discussion and work on new security features in Core. Once I get my bearings I might reconsider though 😃

[sam-github]

work on new security features in Core

Note that this WG has been rechartered so that its focus is on Ecosystem: nodejs/TSC#759

[MarcinHoppe]

I think we've had enough positive signals to proceed with welcoming @watson to the WG. I can be his on-boarding buddy.

[lirantal]

Happy to get @watson onboard but I want to state out that:

1. Thomas seems to participate more in general Node.js core security work and not specifically the 3rd party triage team. However, since requesting to join we've had doc: TSC has responsibility for Node.js security #579 landing which changed the charter of the group to focus more on the 3rd party triage than Node.js core/security releases and proceses.
2. We have colleagues of Thomas requesting to join too with Nominate Brandon Kobel as member of the WG #582 and Nominate Larry Gregory as member of the WG #583 but largely remain un-attended for the last 3 months and not sure on whether the primary intent is to help triaging security issues or not.

cc @kobelb @legrego

[sam-github]

@watson @kobelb @legrego I'm in agreement with @lirantal here. More participants are welcome, but there is some process involved in the on and off boarding process. I think its enough that's its worth avoiding unless you intend to get involved in triage (which needs more participants, so if that is your intention, please say so!).

There are other things that have been discussed as useful things to do, such as writing guides on secure Node.js practices, etc. (see the issue tracker), but WG membership isn't required to do that, and we've never (to my knowlege) refused anyone who wanted to participate in a WG meeting, member or not.

Since WG membership isn't required to comment on issues or work on security, perhaps you would like to attend some meetings or otherwise get involved in the WG github issue tracker before deciding if you want to join the WG?

[MarcinHoppe]

I confirmed with @watson that he does not plan to join the WG with its current focus and I am closing this PR.

I agreed with Thomas that if he wants to join in the future, this PR can be easily re-opened if need be.