►
From YouTube: Security WG meeting 2019-04-22
Description
B
B
D
Delaying
the
loop
okay,
so
this
is
a
let's
kick
this
off.
So
this
is
the
non-security
work
and
I
just
foundation
is
pretty
working
group
meeting
for
April,
22nd
2019
and
let's
say
it's
a
live
for
viewing
on
YouTube
for
commentary
and
the
agendas
and
the
nodejs.
Ich
esprit
working
group
issues:
five,
one
nine
and
go
start
going
through
the
agenda.
Yep
yeah.
E
D
So
I
I
think
Michael's
well
kind
of
kicked
up.
The
idea
of
perhaps
like
scheduling
security
releases
in
every
three
or
four
months.
Sorry
doesn't
get
a
lot
of
enthusiasm.
There's
been
anybody
who
hates
the
idea.
Does
anybody
here
have
any
opinions
on
to
whether
that's
a
would
be
useful
to
do
that?
I.
A
C
Like
today,
their
ad
hoc,
so
either
something
high
severity
comes
in
and
that
basically
triggers
like
a
security
release
in
the
short
period
of
time.
So
something
like
the
OpenSSL,
you
know,
there's
an
update.
It's
gonna
have
some
high
enough
severity,
zwi
figure.
Okay,
we
got
a
release
within
a
few
days
or
the
next
day
after
that,
alternatively,
get
a
number
which
are
sort
of
lower
priority
and
you
know,
haven't
been
disclosed
yet
and
those
kind
of
I
think
today
is
like
they.
They
are
they're.
C
A
C
A
C
Yeah
I
would
have
to
be
I
mean
in
theory.
It
should
end
up
with
no
more
release
news.
In
fact,
do
you
mind
up,
and
you
might
end
up
with
glass
right
because
you
might
have
a
stronger
argue
to
say:
let's
wait
on
this
one,
which
is
you
know,
not
critical
until
the
next
planned
release,
as
opposed
to
doing
one
now
and
then
doing
another
one
in
three
months
or
whatever
right,
gotcha,
okay,.
D
Give
em
a
chance
so
what
iswhat
I
saw
when
I
looked
at
this,
so
we
do
about
three
security
releases
a
year.
So
if
we
did
one
every
four
months,
we
wouldn't
be
increasing
the
rate
and
I
say
mr.
B
there's
basically
a
spirit.
It's
a
small
collection
but
there's
a
small
collection
of
pretty
low
security
items
to
work
on.
D
D
You
know,
values
to
configuration
things
that
can
help
with
das
or
maybe
there's
some
stuff
in
the
path
of
the
URL
module
that
some
people
think
maybe
if
this
could
be
exploited,
if
you're
using
it
for
thent
occation,
maybe
so
there'll
be
some
stuff
like
that,
and
every
once
awhile
somebody'll
be
like
ok
come
on
guys,
it's
time
to
really
sell
this
stuff,
and
then
people
be
like.
Oh
ok
and
the
next
couple
weeks
will
be
really
busy.
D
So
if
it
was
more
predictable,
if
we
knew
that
every
four
months
I
would
be
happening,
I
think
it
might.
Actually,
you
don't
have
to
make
the
deadline
if
it's
low
priority,
you
can
let
it
go
to
the
next
one,
but
it
might
kind
of
make
it
more
consistent,
easier
to
schedule
or
maybe
there's
no
problem
and
we
don't
have
to
work
on
it.
I
don't
know
Mike.
Are
you
I
think
you
quite
like
that?
D
C
I
mean
I
think
we
have
the
challenge.
Sometimes
it's
like
okay,
here's
the
security
release
and
then
we
gotta
figure
out
with
the
release
team
when
it
sets
in
because
we
still
need
them
involved
so
like
I,
it
might
make
it
easier
for
them
to
figure
out
when
to
schedule
it
and
versus
not
I
think
which
is
good
and
and
I
like
it
from
the
perspective
that
it
gives
us
a
at
least
some
milestones
to
think
about
like
if
you're
working
on
one
of
these
lower
priority
things
it's
like.
C
Well,
if
you
think
it's
important
enough,
you
should
try
and
get
it
into
this
time
right,
whereas
otherwise
we
do
see
that
it's
like
hey.
We've
decided
to
do
one
there's
these
five
other
things
and
people
maybe
only
have
a
week
or
two
notice
right,
whereas
if
they'd
had
a
month's
notice,
they
might
have
been
able
to
say
yeah,
okay,
I
think
it's
important
enough
at
all
time
in
well
giving
a
weeks
notice.
They
do.
You
know
it's
much
harder
to
fit
that
in
yeah.
D
A
A
Enterprises
coming
in
I,
see
oh
we're,
just
gonna
update
every
release
or
every
security
release,
and
then,
if
we
either
like,
we
don't
have
security
like
patches
to
ship,
they
might
go.
You
know
six
months
without
updating
or
you
know,
I
guess.
Theoretically,
if
they
were
in
in
a
perfect
world,
there
were
no
security
issues
for
like
a
year.
D
B
C
B
A
This
is
something
this
is
something
that's
kind
of
bugged
me
for
a
while,
just
because
I've
been
working
with
this
file,
so
in
our
release
metadata,
we
actually
have
LTS
as
a
thing
as
a
like
a
true
false
flag.
There
would
we
also
want
to
do
because
we're
kind
of
doing
it
in
this
methodical
approach.
Would
we
also
want
to
add
a
dirty
true
pulse,
that.
B
C
D
I
think
that
I,
don't
that
as
much
to
do
with
this
schedule,
I
think
I,
don't
I
can't
see
anybody
objecting
to
that.
It
just
seems
like
a
an
obviously
useful
thing
to
do
it
would
their
way
to
do
that
would
be
open
in
issuing
the
node.js
slash
release.
We
go
I
issue
tracker,
Bible
ingredients
like
opening
its.
A
C
D
C
That's
from
the
security
side
from
the
security's
release,
side
yeah,
so
you
you
Matteo
and
rod,
and
then
I
mean
it's.
We
always
get
a
release
or
from
the
release
team,
but
I
I
suspect
that
actually
you're
right.
If
we
just
say
let's,
we
want
to
plan
these
two
releases,
you
know
and
then
that's
the
release
team
like
they
haven't,
Devon,
objected
or
anything
on
the
issue.
So
normally
it
would
just
be
hey.
We
want
to
do
this
ad
hoc
one.
Maybe
now
it's
just
like
hey.
C
C
D
Ok,
well,
let's,
let's
tag
Liam,
okay!
Well,
let's
tag
them
see
if
we
can
get
it
onto
their
agenda,
I
mean,
hopefully
they
can,
at
least
like
you
ask
them
for
some
candidate
dates
for
2019
yep.
They
would
at
least
be
able
to
eyeball
their
their
release.
Plans
don't
say
well,
I
would
propose
a
couple
days.
Yeah.
C
D
D
C
D
C
The
only
thing
I'll
ask
since
he's
here
as
well
in
terms
of
you
know,
for
the
vulnerabilities
there
seem
to
be
some
preset
like
you'll
get
a
response
within
a
certain
amount
of
or
a
fix
within
a
certain
amount
of
time,
right,
I
wonder
if,
on
the
the
hacker
one
side,
we
can
tweak
some
of
those
to
then
fit
our
scheduled
releases.
Oh
you're,
talking
about
the
the
response
times!
Well,
there's
sort
of
the
initial
response
times,
but
there's
so
like
hey,
you
know.
E
You
have
you
kind
of
have
different
metrics
and
you
can
totally
tune
those
there's
like
first
response
time.
Yeah
there's
time
to
triage,
and
then
there
is
one
for
like
time
resolution.
That's
an
optional
one.
So
you
have
to
turn
that
off
entirely.
If
you
just
didn't
it
that
this
doesn't
make
sense
for
y'all's
release,
schedule,
okay
or
just
increase
that
to
like
90
days
or
you
know
some
other
large
number
yeah.
E
E
I'm,
not
in
general
I
find
that
researchers
are
not
as
concerned
on
the
resolution.
You
know
they
want
to
make
sure
that
just
that,
like
is
little
you're
transparent
about
it,
was
like
hey.
This
is
you
know,
will
you
do
this
at
this
time?
They're
more
caring
about
like
okay?
Getting
that
initial
response
and
getting
the
you
know
like
hey
we've,
we've
confirmed
this
is
a
vulnerability.
We're
gonna
get
this
fixed.
You
know
it's!
It's
triage
type
thing
yeah.
C
D
Actually
had
a
question
about
triage
I
wonder
if
this
is
maybe
I
was
given.
I
just
came
up,
I
I
know
this
is
injecting
the
agenda
a
little
bit,
but
I
there's
a
number
of
no
jeaious
issues
right
now
that
our
have
missed
their
kind
of
triage
time,
but
it
it
left
me
I,
wonder
if
we're
perhaps
not
just
setting
their
state
correctly.
I'm,
not
I'm,
not
crystal
clear
on
what
triage
means
and
I
kind
of
looked
around
to
find
the
definition.
Yes,.
E
E
Then,
at
that
point
you
know
you
move
it
to
triage
and
he
can
stay
in
triage
stay
for
quite
a
while.
It's
also
intermediate
states
like
if
you're
needing
more
information
you
can
do,
need
more
info
from
the
reporter
and
in
that
sit
in
the
top
of
their
cube
and
their
inbox.
So
yeah
it'd
be
the
state-transition
stuff.
Is
it
pretty
just
because
it
does
affect
those
metrics,
but
then
also
kind
of
helps?
You
do
with
figuring
out
how
to
like
what
state
something's
in
and
what
you
know
like.
D
Okay,
so
should
we
be
bounced,
so
we
should
perhaps
some
of
those
the
issues
that
are
so
currently
sitting
in
a
state
and,
let's
leave
actually
are
I
think
are
waiting
for
more
info
from
me.
Like
there's
some
negotiation
back
and
forth.
It
sounds
like
it's
like.
If
you
ask
the
person
question,
you
should
also
like
bagging
the
state
back
to
be
like
waiting
for
Rick.
E
D
I
might
I
might
go
through
the
states
in
and
maybe
and
looked
at
there
a
little
bit
for
docs
on
how
to
dip
I'll
use
that
stuff
to
me
so
that
we
have
a
kind
of
a
more
common
pattern.
I
think
where
I
think
some
of
the
like
some
of
the
metrics
I
think
look
quite
bad
for
us,
but
when
I
look
through
the
actual
conversations
I
was
like
well,
it
seems
like
we're
doing
the
right
thing.
So,
okay,.
E
One
is
providing
a
both
a
technical
program
manager
you're
in
a
program
manager
just
to
assist
the
nodejs
team,
with
any
questions
do
regular,
check-ins
and
whatever
frequency
that
you
know
you
would
like
just
helping
you
answer
any
questions
you
have
about
how
things
go
separately,
there's
the
actual
triage
team,
our
security,
analyst
equity
analyst
will
basically
take
incoming
reports
validate
them
as
best
they
can.
You
know
they.
E
You
know
obviously
dole
they'll
do
the
best
they
can
based
off
the
knowledge
they
have
been.
Do
so
like
they'll,
see
like
okay.
Is
it
valid
issue,
so
they'll
triage
it
and
if
not,
they
may.
They
may
actually
request
more
information
from
the
reporter
to
get
to
narrow
it
down
or,
if
they're
not
able
to
make
a
decision,
though
escalate
it
to
you
know
security
work
and
do
security.
Triage
team
I
should
say
to
make
a
decision
with
that,
but
it
basically
takes
out
the
low-hanging
fruit
of
like
okay.
E
You
know
the
reports
to
come
in
to
make
sure
that
they're
at
least
getting
into
a
state
where
somebody
can
actually
look
at
the
report
and
make
a
decision
versus
the
command
is
like.
Okay,
with
my
every
reports
that
are
just
completely
inaccurate
or
just
obviously
me
more
information
and
then
saves
all
time
and
then
separately,
I
can
also
handle
any
of
the
predetermined
bounties.
E
Like
you,
you
know
we
have
the
bounty
table
that
yeah
you
set
I'm
can
go
ahead
and
pay
out
all
those
bounties
so
that
you
don't
have
to
and
if,
if
no
GIS,
if
the
noj's
Foundation
worked
at
some
point
throw
into
or
funds,
then
you
know
can
also
handle
whatever
doubts
through
that
as
well.
But
again,
these
are
all
options,
but
these
are
just
what's
being
offered
for
free
for
the
no
GS
project
to
use
I.
D
Think
I
think
I
think
a
few
people
raised
some
concerns
about.
Maybe
issues
would
get
closed
without
at
least
somebody
on
note,
looking
at
it
and
agreeing
with
the
decision
of
the
triage
but
the
hacker
when
triage
team,
so
it
was
like
one
one
concerned
it
was
raised.
On
the
other
hand,
I
quite
like
the
idea
and
having
people
with
you
know
more
comprehensive
security
background,
doing
the
the
initial
interactions,
and
maybe
you
know
they
might
be
able
to
push
back
with
more
authority
and
also
a
wider
view.
D
E
A
big
deal
sure
I
mean
so
anytime
that
if
the
hacker
one
triage
team
were
to
close
it
out,
it's
still
available
in
yields
inbox,
you
can
still
see
all
those.
So
you
know
if
you
so
choose,
you
can
always
go
see
the
report,
so
it
doesn't
like
hide
it
from
your
view.
It
takes
it
out
of
the
new
state,
but
you
can
always
just
go
and
look
at
those
close
report
yourself
and
choose
to
reopen
them.
If
you
would
like
right.
C
E
B
E
There
was
two
things
so
I
think
we
we
already
had
approval
from
you
all
to
move
forward
on
the
no
GSA
and
I
think
the
question
was:
are
y'all
comfortable,
also
moving
word
on
the
nodejs
ecosystem
side,
and
so,
which
is
a
different
type
of
thing.
It
didn't
seem
like
anybody
had
concerns,
but
I
think
this
is
what
this
meeting
or
as
well.
C
C
E
C
D
Is
there
an
issue
specifically
to
the
security
working
groups
or
the
ecosystem
issues,
because
I'm
the
from
our
notes
here
the
issues
it's
that
reaches
to
506,
I
I?
Don't
I
mean
I
read
through
that
issue
and
I
thought
it
was
mostly
just
about
nerdcore
I
didn't
realize
it
also
about
the
ecosystem.
The.
E
I'm
looking
forward
to
beginning
this
going
and
get
all
the
help
that
you
need
mix,
so
you
don't
have
to
focus
on
this
stuff
and
as
much
as
you
do,
and
then
we
can
take
that
out
of
your
hands
and
then
also,
if
you
also
change,
you
can
also
get
your
skis
from
us
as
well.
I
know
you
are
see,
you'll
go.
D
E
We
we
get
the
CVE
IDs
from
mitre
I
think
my
turn
would
probably
reply
back
in
like
hey.
They
are
CV,
they're
CNA
shouldn't
they
be
doing
this
and
we
can
reply
back
and
just
say:
hey,
hey,
they
are
the
ones
doing
it
be
it
us
so
like
it's
probably
just
in
making
paperwork
or
you
know
just
let
them
know,
but.
C
B
D
D
A
D
E
It
don't
have
context
ready,
lighter,
maybe
just
give
them
a
heads
up
that,
like
they
you're
gonna,
be
doing
your
CDs
through
hacker
wine
and
just
letting
them
know,
though
otherwise,
we'll
you
know
once
that
happens,
then
we'll
let
them
know
that
suspect
matter
would
include
email
back
and
stay
like
hey.
This
is
weird,
but
yeah
I,
don't
respect
the
problem,
we'll
just
say
hey.
This
is
this:
is
them
unit
through
us
and.
D
D
D
C
D
D
D
D
D
D
B
D
D
C
D
D
D
C
D
D
D
D
D
D
D
D
Is
that
I
opened
a
PR,
a
work-in-progress
PR
to
up
the
pressure
on
buffer
constructor
users
by
by
actually
removing
the
API
in
in
node.js,
so
your
code
will
will
actually
just
will
actually
just
throw
a
period
that
won't
be
able
to
use
those
buffer
constructors
I
did
in
a
way
so
there's
it's
possible
to
revert.
There's
a
revert
security
command-line
option
to
note
that
we
use
mostly
in
alts.
If
we
have
to
introduce
a
security
fix
that
might
actually
break
existing
users,
it
gives
them
the
opportunity
to
be
like
ok,
I
know.
D
This
is
not
good.
That
I
am
going
to
read,
you
know,
get
rid
of
the
security
like
so
many
hatred,
it's
I
know
it's
controversial
and
people
very
much
don't
want
to
break
the
ecosystems.
I'm,
not
I'm,
not
like
gonna,
be
pushing
this
PR
really
hard.
But,
given
that
this,
we
are
continually
bringing
up
that
there
are
many
many
issues
of
leave
us.
There
might
be
a
flood
of
bug
reports
on
them
coming
soon.
D
If
anybody
in
the
security
working
group
has
an
opinion
on
whether
or
not
we
should
actually
start
whether
these
problems
are
serious
enough,
that
we
should
actually
remove
the
API
and
force
people
to
opt
in
at
the
runtime
level
to
allow
this
insecure
usages
should
probably
comment
on
that.
Pr
thankful.
D
C
D
D
D
C
D
A
Experience
I've
had
with
that
is
like
in
an
ideal
world.
Yes,
the
people
who
are
I,
don't
I
I
was
initially
gonna
reach
for
smart-mouth,
but
that's
not
the
night
descriptor.
The
people
who
are
knowledgeable
enough
about
node
to
do
that
already
are
not
like,
are
already
taking
care
of
the
things
they
need
to
take
care
of,
and
the
people
who
aren't
knowledgeable
or
the
companies
of
aren't
knowledgeable
enough
about.
B
C
A
B
C
Turns
it
on,
and
you
can
say:
oh
I
can
turn
it
off
right,
yeah
yeah,
at
least
it
gives
you
the
option
of
saying
I
want
to
force
this.
So
it's
like.
No,
you
know
you
could
similarly
say.
No.
You
can't
have
this
today,
there's
no
way
to
sort
of
find
out.
If
you
have
problems
or
not
yeah
and
I
think
it's.
C
Throw
over
this
this
at
least
gives
you
a
way
where,
like
internally
say,
these
are
the
flags
when
you
can't
run
with
right
yeah,
and
you
can
start
to
see
so
by
default.
You'll
get
it
I.
Think
today,
a
part
of
it
is
there's,
nothing
is
like
say
as
a
deployer.
So
if
you're
in
charge
of
deploying
the
old
versus
the
developer,
there's
not
really.
A
A
C
A
B
D
The
way
the
deprecations
currently
work,
I
mentioned
this
in
my
in
my
last
PR.
Is
it
the
only
show
up
if
the
buffer
is
being
used
in
your
top
level?
Rico,
and
in
other
words,
if
you
there's
some
utility
package
and
when
you
do
your
test
and
BM
tasks
to
work
with
it,
you're
gonna
see
it,
but
everybody
who
consumes
it
doesn't
see
the
deprecation
morning.
Well,.
C
D
The
theory
that
since
they
don't
need,
since
they
can't
actually
change
it,
then
why
show
them
yeah,
but
actually,
when
you
put
deprecation
warnings
that
say
things
like
security
into
people's
face,
they
go
back
and
open
issues
on
those
sub
dependencies
and
put
pressure,
sometimes
in
a
not
very
nice
way.
Yeah
yeah
then,
and
that's
unfortunate,
but
anyhow
they
they
put
pressure.
So
we
we
could
also
just
like
slightly
up
the
pressure
by
removing
that
opt
out.
So
suddenly,
deprecations
are
gonna,
start
work
showing
up,
but
like
probably
possibly
all
over
the
place.
I
think.
D
A
I
guess
an
alternative
approach
is,
you
know,
I
know,
chakra
has
done
some
work,
I
mean
not
alternative,
but
additional
approach.
I
know
chocolate
is
done,
not
a
lot
of
work
on
figuring
out
modules.
They
use
this
and
the
most
impactful
modules
I
can
dedicate
some
time
to
going
through
in
submitting
yards
to
those
modules
just
to
change
that
usage.
A
I've
done
it
before,
and
it's
relatively
simple,
like
it's
a
very
simple
change:
it
shouldn't
be
hard
to
review,
shouldn't
be
hard
to
do
I
ain't,
and
so
at
that
point
you
either
get
to
our
merge.
Where
you
get
the
person
to
tell
you
to
go
away,
which
will,
let
us
know,
ecosystem
impact
of
like
if
this
person's
telling
us
to
go
away.
I'm
gonna
use
this
new
API,
which
yeah
that
could
happen.
A
C
B
D
C
D
D
C
D
D
C
A
Less
noisy,
I
guess
like
the
signal-to-noise
of
like
what
do
I
actually
need
to
look
at
in
this
repo.
That
would
help
more
people
come
and
do
this
or
like
people
realize
oh
yeah.
This
is
a
my
dependency
tree.
Also
just
give
them
a
line
of
code
around
you
know,
do
NPM,
LS
and
then
whatever
module,
that
gives
them
a
way
to
kind
of
hand,
hold
them
along,
seeing
if
their
code
is
actually
yeah.
C
B
D
After
look
at
that,
I,
don't
know
if
there's
a
way
that
you
can
set
an
environment
variable
to
turn
on
the
deprecation
warning
and
then
run
your
tests
and
see
if
it
triggers
anything
that
any
of
your
sub
dependencies,
in
other
words,
I,
don't
know
if
the
opt-out
is
so
strong.
You
can't
get
rid
of
the
opt-out
that
might
make
a
difference.
Allow
people
to
just
see
okay.
Does
this
affect
me
or
not?
Or
is
it
just
a
bunch
of
no
can't
can't
give
generation
packages
on
NPM?
Guess
that
I
don't
care
right.
C
I
think
you
know
the
your
pure
will
I
mean
I.
Think
there's
some
other
ones
as
well,
but
it'll
probably
have
some
more
discussion
and
then
you
know
we
think
we
need
to
do
something.
As
a
security
working
group,
we
need
to
figure
out
like
okay,
what
are
the
what
steps,
or
is
it
like,
encouraging
people
to
help
update
buffer?
You
know
whatever
would
be
good
to
say
here.
The
concrete
next
steps
that
we.
D
C
D
D
A
D
A
A
This
is
about
putting
automating
indices,
I
I
kind
of
went
out
about
this
out
of
order.
I
created
a
PR
before
creating
that
you
I
totally
spaced
that
I
said
I'd
create
an
issue
first,
but
yeah,
basically
maintaining
indices
in
the
other
people's
security
advisories
repo,
the
one
we're
just
talking
about,
so
people
can
programmatically
course
them.
There's
also
I've
also
suggested
in
a
complacent.
I
really
didn't
do
it
in
this
issue.
I
can
do
that
now.
A
This
could
perhaps
they
could
perhaps
live
on
no
Jaidev
until
you
know,
as
part
of
that
workflow,
instead
of
being
put
up
into
the
current
website,
just
to
kind
of
release
them
with
that
when
it
becomes
the
official
website
and
also
to
have
them
online
in
a
place
that
people
know
they
can
reach
them.
So
you
know,
but
also
not
saying
this
is
an
official
thing
immediately.
A
C
Can't
make
sense
yeah
the
mean.
The
main
thing
for
me
is
just
that
we
get
the
group
here
to
say
yeah
we
commit
to
maintaining
these
because
I
think
once
they're
there
I
will
be
depending
on
them
and
it's
another
piece
of
the
data,
though
it's
just
getting
enough
people
to
say:
hey,
that's
a
good
idea
and
we'll
make
it
a
priority
to
keep
them
going.
Yeah
absolutely.