doc: notes on purpose from WG meeting

[sam-github]

No description provided.

[mhdawson]

I think most of the content here might better go into a minutes doc under a meetings directory (ex https://github.com/nodejs/benchmarking/tree/master/meetings)

Have some specific comments inline as to what the content of the initial README.md might contain.

[mhdawson]

So far participation in WG has generally been, anybody interested can join. There are a few exceptions like the build WG where membership leads to access to machine etc and so the process of being formally added is a bit more rigorous. At this point I'd suggest we seed it with the list of interested parties from the issue and the make it a PR yourself into the group until we need something different.

[mhdawson]

I think this is separate. I believe is a concept I'd discussed with James and the question was if this would be the right group to discuss bringing something like that in. In that context I don't think we need anything in the readme at this poin.

[mhdawson]

I think I'd leave a decision on that until the group is up and running and we have a better feel as to what it is doing day to day.

[sam-github]

I mean the "security team", not the security working group. I might raise this as a bug on nodejs. Right now the security team is secret, I'm not sure that was intended.

[gibfahn]

@sam-github Are you talking about https://github.com/orgs/nodejs/teams/security ? I think most of the teams in nodejs are private (i.e. you can't see who's in them unless you're a member of the nodejs org). I can see who's in that team.

If you meant that the security team list should be duplicated in the README, then fair enough.

[sam-github]

yeah, that's the team. People reporting might want to know the identify of they are reporting vulns to, or maybe not?

[gibfahn]

@sam-github I think all the nodejs teams should be public (although maybe some might have a reason to be private).

[mhdawson]

For now I'd suggest something which just captures the high level mandate of the working group (based on an existing example: https://github.com/nodejs/benchmarking)

Mandate

The Security working group's purpose is to achieve the highest level of security for Node.js and community modules.

Its responsibilities are:

• Work with the node security project to bring community vulnerability data into the foundation as
  a shared asset
• Set up processes and procedures and follow these to ensure the vulnerability data is updated in
  an efficient and timely manner. As a example ensuring there are well documented processes
  for reporting vulnerabilities in community modules.
• Work to set a high standard for the Node.js project. Possibly efforts could include penetration
  testing, security reviews etc, review guidelines, coding standards etc.
• Review and recommend processes for handling of security reports (but not the implementation of those processes)_

[sam-github]

done, see #9

[mhdawson]

We need the governance boilerplate, which includes CONTRIBUTING.md, GOVERNANCE.md they can likely just be copied from one of the other WGs or the TSC or CTC repo.

[sam-github]

closing, going to move these into meeting notes, and PR the WG boilerplate