Adding a "security" property to dist/index.json #437
Comments
|
Seems reasonable, although it would be reliant on the person doing the release to update the property. Security releases are typically not done by the regular releasers. |
|
It would have to be part of the release process, and it could also be part of the security release process. The person going through the sec release process often isn't doing the actual cutting of the release, so a step there of "check that the metadata was correct" could be useful as a double-check. |
|
The tool to generate |
|
I imagine it would be more the security release process, with the property defaulting to false like the |
|
We may want to add a similar NODE_VERSION_IS_SECURITY_RELEASE tag in the build |
|
Both adding it to the meta data and @MylesBorins suggestion makes sense to me. +1 |
|
I'll have a look at what changes would be needed (on the Node.js core build side and nodejs-dist-indexed). |
|
Raised nodejs/node#27612 and nodejs/nodejs-dist-indexer#8. |
|
Added to the Release agenda as this is a change to the release process. |
Parse the release notes for a release to determine if it is a security release. Refs: nodejs/Release#437
|
Rod has questioned the proposed approach and suggested some alternatives. I've implemented the first alternative (parse commit message for |
The release commit message for security releases have conventionally started with the phrase `This is a security release.`. Codify this as part of the release process so that the distribution indexer can use this to detect and mark releases as security releases. Fixes: nodejs/Release#437 Refs: nodejs#27612 (comment) Refs: nodejs/nodejs-dist-indexer#9
|
The original proposal nodejs/node#27612 has been closed. Opened alternative approach nodejs/node#27643 as a counterpart to nodejs/nodejs-dist-indexer#9. |
|
Reopening because while the Node.js side is taken care of the property won't be added to the distribution index files until nodejs/nodejs-dist-indexer#9 lands. |
|
Thank you for your work on this @richardlau ❤️ |
The release commit message for security releases have conventionally started with the phrase `This is a security release.`. Codify this as part of the release process so that the distribution indexer can use this to detect and mark releases as security releases. Fixes: nodejs/Release#437 Refs: #27612 (comment) Refs: nodejs/nodejs-dist-indexer#9 PR-URL: #27643 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Rich Trott <rtrott@gmail.com>
Parse the release notes for a release to determine if it is a security release. Refs: nodejs/Release#437
|
Index files now contain a security property as of nodejs/nodejs-dist-indexer#9. |
Per a brief discussion in today's Node.js Security Working Group meeting, I wanted to bring up the possibility of adding a
securityproperty into the dist/index.json.To outline a possible structure/implementation for this property:
securityproperty to each new release object, from the date it's implemented and beyondsecurityand a boolean as the valuetruefalseThe intent is that this is similarly structured to
LTS, providing a signal to consumers of the file that a release is a security release.Theoretically, developers (us included!) could use this in a few ways:
true– when they encounter true for the first time, they know that version is the minimum secure versionHopefully this wouldn't be a massive burden for y'all when maintaining releases, but if it is that's 100% understandable ❤️
The text was updated successfully, but these errors were encountered: