Conversation
Co-authored-by: Yagiz Nizipli <yagiz@nizipli.com>
|
There is the supply chain vector as well where the tooling for generating the binaries can be compromised outside CI pipeline and brought in via a trusted source. |
I think that still falls in the |
|
Yep! |
|
Is it worth including https://github.com/nodejs/unofficial-builds which we use for the alpine docker images? |
richardlau
left a comment
richardlau
left a comment
There was a problem hiding this comment.
Has any consideration been given to the website now recommending ways of installing Node.js outside of the project's control (e.g. nvm, fnm) but are the default options if visiting the website?
I also don't see the nodejs/nodejs.org GH repo which is where the download links/blog posts are published. This is separate from Vercel, where the website is deployed.
We discussed it in the last security wg meeting and we'll include nodejs.org yes. I'll do it right after this PR lands. |
sxa
left a comment
sxa
left a comment
There was a problem hiding this comment.
A few typographic suggestions - this looks like a good addition overall. I'll try and go through it in a bit more detail to see if I can think of anything else too.
(Also, primarily as a note to self when I come back [here])https://github.com/nodejs/security-wg/blob/add-more-threads-to-maintainers-model/MAINTAINERS_THREAT_MODEL.md) is the rendered version from the PR branch)
Co-authored-by: Stewart X Addison <6487691+sxa@users.noreply.github.com> Co-authored-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Co-authored-by: Richard Lau <rlau@redhat.com>
11 participants
Please take a look:
@nodejs/tsc @nodejs/build @nodejs/releasers @nodejs/security @nodejs/docker
cc: @nodejs/security-wg