Create a security team about node-convergence-archive HOT 22 CLOSED

Also:

This is currently being controlled here: https://github.com/nodejs/email/blob/master/iojs.org/aliases.json

We'd need a ## Security section on the README to list this and explain the steps to take if you find a vulnerability.

from node-convergence-archive.

I volunteer. Do I need to file a PR for that aliases file?

Also, /cc @nodejs/crypto - I believe @indutny is or was on [email protected] and @shigeki probably makes a good addition as well.

from node-convergence-archive.

let's see how it shakes out in discussion, the TSC probably needs to sign off on the final list, we'll give it another week

from node-convergence-archive.

Add me up.

from node-convergence-archive.

Btw, it is probably a good manner to cc people when issue is created. Not everyone is watching the repo.

from node-convergence-archive.

/cc @nodejs/tsc

from node-convergence-archive.

Original issue: nodejs/node#430

from node-convergence-archive.

+1... Sign me up!

from node-convergence-archive.

I would like to be on the list.

from node-convergence-archive.

Please add me to the list.

from node-convergence-archive.

I'd like to be on the list as we need to quickly address issues in the IBM internal builds as well

from node-convergence-archive.

Proposing a security@ team:

• @rvagg
• @bnoordhuis
• @indutny
• @jasnell
• @cjihrig
• @shigeki
• @mhdawson

from node-convergence-archive.

Joining the discussion a bit late, sorry about that. There is already a [email protected] mailing list, and a process outlined at https://nodejs.org/about/security/ that a lot of people have been using to report security issues. Why not start from here?

@rvagg If you're interested in having control over the management of the [email protected] mailing list, just say the word.

from node-convergence-archive.

Is there a passive participant position? Want to be part of this so I know what's going on, but doubt I'll have much to contribute outside of any security bugs I find.

from node-convergence-archive.

@rvagg Also, in case it wasn't clear, I should mention that Todd Benzies from the Linux Foundation is now managing the nodejs.org Google Apps domain, so it's really managed by the Node.js Foundation, not Joyent.

from node-convergence-archive.

@misterdjules thanks for the context, I wasn't aware of the Node.js security@ list or procedure (although I was looped in to the recent HP email thread which I guess should have clued me in!). I did a quick search of the repo / README and didn't see anything and since we don't have anything for iojs.org I figured this would be an overlapping concern but it seems not, yet anyway!

This actually comes from finally having MX set up for iojs.org so we can do email addresses and the only really pressing one is security@ so I wanted a list of people to put here: https://github.com/nodejs/email/blob/master/iojs.org/aliases.json - I also assumed we'd use the same setup (Mailgun) for nodejs.org continuing on from this issue.

I'm happy to sit on this issue for now then, since we have a [email protected] procedure in place that's all good. I'll set up an interim thing for iojs.org.

from node-convergence-archive.

nodejs/node#1948 - added a section to the io.js README

https://github.com/nodejs/email/blob/master/iojs.org/aliases.json#L3 - bounce email to [email protected] to [email protected]

from node-convergence-archive.

Who is going to add the people on the list to [email protected]?

from node-convergence-archive.

@bnoordhuis @tbenzies from the Linux Foundation can do that.

from node-convergence-archive.

Sent an email to Todd Benzies and asked him if he can join this thread.

from node-convergence-archive.

The following people have been added to [email protected]:

@rvagg
@bnoordhuis
@indutny
@jasnell
@cjihrig
@shigeki
@mhdawson

However, [email protected] is bouncing -- is there a different email address that I can use?

from node-convergence-archive.

Thank you @tbenzies!

from node-convergence-archive.