Access to CITGM under embargo to all TSC

Question

Access to CITGM under embargo to all TSC

RafaelGSS opened this issue 3 months ago · comments

Hey folks!

During this security release, access to CITGM for all TSC was found to be necessary during the review of the final binary. Considering TSC also has access to patches and reports, we are not exposing anything sensitive by adding the entire group as a viewer.

Ref: https://openjs-foundation.slack.com/archives/C027PSG2PJR/p1707862827771969

cc: @nodejs/tsc

Rafael Gonzaga commented 3 months ago

SGTM

Antoine du Hamel · Answer 1 · Wed Feb 14 2024 20:08:08 GMT+0800 (China Standard Time)

Small correction: all TSC voting members have access to the patches and reports, most regular TSC members do not.

Rafael Gonzaga · Answer 2 · Wed Feb 14 2024 20:08:54 GMT+0800 (China Standard Time)

Yes, that's correct. We could give access to all voting members.

Richard Lau · Answer 3 · Wed Feb 14 2024 20:55:48 GMT+0800 (China Standard Time)

I've added the nodejs/tsc team to the security matrix.

FWIW The reason the whole TSC doesn't have access by default to the CI during a security release is because in the past individuals on the TSC would (ab)use their access to run CI's for their non-security related PR's, tying up the CI. Perhaps a compromise could be to remove their ability to start builds during the lockdown but retain read access?