-
Notifications
You must be signed in to change notification settings - Fork 134
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
doc: add minutes for meeting 31 Jul 2024 (#1604)
Signed-off-by: Michael Dawson <midawson@redhat.com>
- Loading branch information
Showing
1 changed file
with
116 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
# Node.js Technical Steering Committee (TSC) Meeting 2024-07-31 | ||
|
||
## Links | ||
|
||
* **Recording**: <https://www.youtube.com/watch?v=vUhrta5KVzE> | ||
* **GitHub Issue**: <https://github.com/nodejs/TSC/issues/1603> | ||
|
||
## Present | ||
|
||
* Antoine du Hamel @aduh95 (voting member) | ||
* Yagiz Nizipli @anonrig (voting member) | ||
* Ruben Bridgewater @BridgeAR (voting member) | ||
* Gireesh Punathil @gireeshpunathil (voting member) | ||
* Joyee Cheung @joyeecheung (voting member) | ||
* Marco Ippolito @marco-ippolito (voting member) | ||
* Matteo Collina @mcollina (voting member) | ||
* Michael Dawson @mhdawson (voting member) | ||
* Ruy Adorno @ruyadorno (voting member) | ||
* Paolo Insogna @ShogunPanda (voting member) | ||
* Joe Sepi @<sepi@joesepi.com> (Guest - Node.js CPC rep) | ||
* Сковорода Никита Андреевич <chalkerx@gmail.com> (Guest) | ||
* Joe Eames (Hero Devs - Guest) | ||
* Aaron Frost (Hero Devs - Guest) | ||
* Amir (OSTIF - Guest) | ||
|
||
## Agenda | ||
|
||
### Announcements | ||
|
||
* Matteo -> if you have not received notification for NodeConf.eu, will get them soon. Tickets are available. Still looking for venue for the collaborator summit either before or after. | ||
* Joe have a lead, asking about IBM Dublin office | ||
* Matteo, possible fallback which is a little bit outside of the city and would cost some $ | ||
|
||
### Reminders | ||
|
||
* Remember to nominate people for the [contributor spotlight](https://github.com/nodejs/node/blob/main/doc/contributing/reconizing-contributors.md#bi-monthly-contributor-spotlight) | ||
|
||
### CPC and Board Meeting Updates | ||
|
||
*Extracted from **tsc-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting. | ||
|
||
* Joe, CPC update | ||
* Code of Conduct moderation team settled, PR open | ||
* Matteo, Board update | ||
* Plan to have an Node.js event in 2025 is progressing. Discussion of how much focus would | ||
be on Node.js versus other topics. Top location would be Seattle and Fall, but still in | ||
discussion. | ||
|
||
### nodejs/admin | ||
|
||
* Conversion to Enterprise account [#905](https://github.com/nodejs/admin/issues/905) | ||
* Matteo we should do earlier than later, but can wait until the end of September | ||
* Michael, 2 choices flip switch or go under OpenJS enterprise account | ||
* personally lets make the smallest change possible | ||
* No objections to flipping the bit now versus later. | ||
|
||
### nodejs/node | ||
|
||
* swc deps / typescript / release to give a status update on concerns? | ||
(likely won't need though if we can get everything fixed async before the call) | ||
context: nodejs/node#54123 (comment), thread in nodejs/node#54102 | ||
* Nikita, concerned that build process pulls from internet versus being generated from the | ||
source code that we have in the repo. Could result in supply chain attack | ||
* proposing, that we add check that wasm is as expected, could be a short term solution until | ||
we improve the build process. | ||
* Marco - wasm is built in the same way that swc builds the package. It uses the crates | ||
released in the rust registry. So same issue would apply to other swc users. Similar to saying | ||
that everything which pulls package from npm is vulnerable as well. | ||
* We can fix with a lock file, and should do that. | ||
* Not sure what adding a check will fix, and it applies to other ways that we build | ||
dependencies as well. | ||
* Nikita, there are some other fixes that should be pulled in in addition to adding the security | ||
check. | ||
* Matteo, don’t think the safeguard is needed, since --experimental-strip-types is not run by | ||
default. For those who are trying out the feature, looking at the risk, don’t see a significant risk | ||
in this specific moment. Agree that to unflag it should be a top priority. This path is no the | ||
highest risk, so not necessarily the place to focus. | ||
* Antoine, as long as it stays dev only, runtime check is ok. Maybe we can move the check off | ||
thread. Since it is the first time that we don’t run the users code directly the check would be | ||
good. | ||
* Nikita, additional check is only ~3% of the overall, and optimization should not override | ||
security. | ||
* Marco, would be ok if we added to Amaro, and have a flag to turn it on, can be enabled | ||
through a flag that Node.js turns on. | ||
* Nikita, agree that adding the check into Amaro would be a good way to do it, can file a pull | ||
request to do that. Also want to update for the other bug. | ||
* Marco next steps | ||
* move change into Amaro | ||
* update Amaro | ||
* should be ready for the next 22.x release. | ||
|
||
### Hero devs esp program | ||
|
||
* Aaron, gave an overview of the program | ||
* Matteo, one issue is we don’t issue CVE’s on older versions of Node.js, some people may take | ||
that as them being safe. Is there anything on that side that you are thinking of doing? | ||
* Aaron frost, happy to take on looking at past CVEs | ||
* Michael, possible for follow up blog post to share results on CVEs | ||
* Antoine, maybe add link to Node.js blog post | ||
* Michael just want to do it in a way that does not imply project will support forever. | ||
* Michael will send email to get discussion going | ||
|
||
### OSTIF update | ||
|
||
* Amir, thanks for the feedback on the Fuzzing security audit report, got some good feedback. | ||
The last comment is about OSS Fuzz, itself, need fix before fuzzers can start running again. | ||
* <https://github.com/google/oss-fuzz/issues/11538> | ||
* Will come back to get last thumbs up once report is updated and fuzzer is running | ||
|
||
## Strategic Initiatives | ||
|
||
## Upcoming Meetings | ||
|
||
* **Node.js Project Calendar**: <https://nodejs.org/calendar> | ||
|
||
Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. |