-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated security team to reflect the status quo #1102
Conversation
This should match https://github.com/orgs/nodejs/teams/security-triage/members (see the ncu-team-sync markers for syncing the list via node-core-utils). |
Then could somebody else take care of this update? Thanks :). |
@nodejs/tsc I've put this in the agenda. |
Additionally, nodejs security-triage should match nodejs-private security-triage and it does not. I'll take care of this. |
Ooof, actually, yeah, let's discuss this at the meeting. There are some discrepancies that may not be trivial to resolve. |
Update is in #1105, but perhaps let's keep this open so that we can discuss the following at the TSC meeting (or in the private segment):
|
I think we should break this out so that it's clear which people have access as TSC members and which are for another reason. We should probably then review that list at least quarterly to remove people who are not active. I think there are number of people who should be removed tat this point. |
I'll add that my main reason for not agreeing we should just delete the whole idea is that we need to figure out how to better enable people to contribute to the security side of the work versus just having TSC members be the ones with access. |
@mhdawson I didn't communicate as clearly as I could have. The random-ish list is referring specifically to "These non-TSC and TSC Emeriti also have access:". That list and entire concept needs to be removed. That doesn't remove non-TSC people. It just removes a random "we're leaving these people on because we like them" list. People not on the TSC can (and should) still be on the triage list above that list, for example. |
Oh, wait, I see. The one list I'm talking about is HackerOne specific, while the other one is nodejs private repo. This is a mess. It's out of date and will never be properly maintained until we automate it. |
cc @nodejs/tsc
New volunteers would be highly welcomed.