-
Notifications
You must be signed in to change notification settings - Fork 96
Create a security team #48
Comments
Also: This is currently being controlled here: https://github.com/nodejs/email/blob/master/iojs.org/aliases.json We'd need a |
I volunteer. Do I need to file a PR for that aliases file? Also, /cc @nodejs/crypto - I believe @indutny is or was on [email protected] and @shigeki probably makes a good addition as well. |
let's see how it shakes out in discussion, the TSC probably needs to sign off on the final list, we'll give it another week |
Add me up. |
Btw, it is probably a good manner to cc people when issue is created. Not everyone is watching the repo. |
/cc @nodejs/tsc |
Original issue: nodejs/node#430 |
+1... Sign me up! |
I would like to be on the list. |
Please add me to the list. |
I'd like to be on the list as we need to quickly address issues in the IBM internal builds as well |
Joining the discussion a bit late, sorry about that. There is already a [email protected] mailing list, and a process outlined at https://nodejs.org/about/security/ that a lot of people have been using to report security issues. Why not start from here? @rvagg If you're interested in having control over the management of the [email protected] mailing list, just say the word. |
Is there a passive participant position? Want to be part of this so I know what's going on, but doubt I'll have much to contribute outside of any security bugs I find. |
@rvagg Also, in case it wasn't clear, I should mention that Todd Benzies from the Linux Foundation is now managing the nodejs.org Google Apps domain, so it's really managed by the Node.js Foundation, not Joyent. |
@misterdjules thanks for the context, I wasn't aware of the Node.js security@ list or procedure (although I was looped in to the recent HP email thread which I guess should have clued me in!). I did a quick search of the repo / README and didn't see anything and since we don't have anything for iojs.org I figured this would be an overlapping concern but it seems not, yet anyway! This actually comes from finally having MX set up for iojs.org so we can do email addresses and the only really pressing one is security@ so I wanted a list of people to put here: https://github.com/nodejs/email/blob/master/iojs.org/aliases.json - I also assumed we'd use the same setup (Mailgun) for nodejs.org continuing on from this issue. I'm happy to sit on this issue for now then, since we have a [email protected] procedure in place that's all good. I'll set up an interim thing for iojs.org. |
nodejs/node#1948 - added a section to the io.js README https://github.com/nodejs/email/blob/master/iojs.org/aliases.json#L3 - bounce email to [email protected] to [email protected] |
Who is going to add the people on the list to [email protected]? |
@bnoordhuis @tbenzies from the Linux Foundation can do that. |
Sent an email to Todd Benzies and asked him if he can join this thread. |
The following people have been added to [email protected]: @rvagg However, [email protected] is bouncing -- is there a different email address that I can use? |
Thank you @tbenzies! |
We need a small group of people who receive emails to security@ addresses (currently just [email protected] because that's all I have control over, but eventually [email protected] too).
My preference would be for it not to be the entire TSC but a smaller subgroup that can quickly and discretely and escalate issues in the appropriate way. But how we construct this is open for discussion of course.
I'd like to put my hand up for serving in this role along with a couple of others.
Discuss.
The text was updated successfully, but these errors were encountered: