Increasing visibility of Node.js security patches on node-private

[RafaelGSS]

I've been doing security releases for quite a while and to be honest, it's a bit frustrating to not have enough people reviewing the patches before they go out. The reason for that is that reviewing that PR is... time-consuming. One would need to read the HackerOne report and have an understanding of that particular piece of code to review it properly -- despite the fact most TSC members do not have much time to spend on those scenarios.

That said, I wonder if we could find a way to improve the current situation. I believe that using GitHub Advisories for patches can be good as we could invite external people (with context on the particular patch) to review + the report. I just don't know if we can run Jenkins CI on it -- It also needs to be checked by the automation as it expects the PR to be created under node-private.

cc: @nodejs/tsc @nodejs/security

[RafaelGSS]

I think to not change the process too much, we could at least make a procedure to announce PRs that need review before going public at every TSC meeting.

Wdyt?

[mhdawson]

Mentioning them in the TSC meeting sounds ok to me

[mcollina]

The problem is that we can't run CI on GitHub Advisories (at least right now), making them useless for our use case ad they would lead to more work.

Instead, I think we could:

• expand the people with access to node-private
• add them as-needed to the hackerone reports

[bnoordhuis]

The reason for that is that reviewing that PR is... time-consuming

Agreed, fortunately there's an easy solution: pay reviewers for their time.

Basically all problems around here boil down to "we need more people" but that's like the easiest problem in the world to solve: just throw money at it.

People already like hacking on node. The foundation just needs to make it worth their while and not be so stingy.

[ljharb]

You may be vastly overestimating how much money the foundation has available - Robin gave a talk on it at the last NodeConf EU - i couldn't find a recording, but https://www.igalia.com/chats/magic-piles-of-money is a podcast where they talk about it.

[jasnell]

... The foundation just needs to make it worth their while and not be so stingy.

@ljharb was more diplomatic in his response to this than my initial reaction to this comment. The foundation isn't being stingy. If you want the foundation to be helping to pay for these kinds of things, then there are opportunities for you to help the foundation raise more funds. Money doesn't magically appear.

https://www.youtube.com/watch?v=Yq2hEseP-Ck&list=PLFVadYWYE9opLgYJ7i0j50oIgn6pqBOM7&index=15

[Dustin4444]

I've been doing security releases for quite a while and to be honest, it's a bit frustrating to not have enough people reviewing the patches before they go out. The reason for that is that reviewing that PR is... time-consuming. One would need to read the HackerOne report and have an understanding of that particular piece of code to review it properly -- despite the fact most TSC members do not have much time to spend on those scenarios.

That said, I wonder if we could find a way to improve the current situation. I believe that using GitHub Advisories for patches can be good as we could invite external people (with context on the particular patch) to review + the report. I just don't know if we can run Jenkins CI on it -- It also needs to be checked by the automation as it expects the PR to be created under node-private.

cc: @nodejs/tsc @nodejs/security

[bnoordhuis]

You may be vastly overestimating how much money the foundation has available

Quite the opposite; it's half a million more than I remembered! What probably didn't change is that a lot just kind of leaks away.

Consider this: set aside a mere 15% of that $2.9 million and let people bill at $100/hr. That's enough money to allow 10 people to bill 8 hours every week of the year. Imagine how much more work would get done.