Who should have access to the security repo ?

[mhdawson]

There is discussion about who should be org owners under: 125

Part of the discussion is around access to the security repo.

In the last TSC meeting (minutes- nodejs/TSC#238) we decided we needed
input from the CTC as to who should have access to the security repo.

Options might include

• only those actively participating in handling security issues
• All CTC members
• All CTC members who opt in.

Some combination of the above or something completely different.

thoughts ?

[bnoordhuis]

I'm removing the ctc-review label. If you think this should be on the agenda, please add it (or close the issue if appropriate.)

[jasnell]

I've been thinking more and more that the the @nodejs/security team needs to be a formal working group with a bit more governance around it. Right now, the team is rather informal and questions of who should be there seem to pop up often enough that we really ought to have something a bit more defined. I know there was talk about a security working group around the Node.js Security Project coming into the foundation, but that is fundamentally a different thing and we should not conflate the two.

[Trott]

I know there was talk about a security working group around the Node.js Security Project coming into the foundation, but that is fundamentally a different thing and we should not conflate the two.

@jasnell First order of business is probably figuring out how to name the two things that should not be conflated in such a way that they don't get conflated.

[Trott]

I think this conversation is now happening elsewhere. If not, it probably should be. But this repo is obsolete so I'm going to close this. Thanks.