From 91f440437a3ab5365aa8344a4a8f775560d38f84 Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Mon, 11 Nov 2024 21:44:21 -0500 Subject: [PATCH 1/3] docs: meeting minutes for 2024-11-11 --- meetings/2024-11-11.md | 85 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 meetings/2024-11-11.md diff --git a/meetings/2024-11-11.md b/meetings/2024-11-11.md new file mode 100644 index 0000000..2e69223 --- /dev/null +++ b/meetings/2024-11-11.md @@ -0,0 +1,85 @@ +# Express TC Meeting 2024-11-11 + +## Links + +* **Github Issue**: https://github.com/expressjs/discussions/issues/302 +* **Minutes Google Doc**: https://docs.google.com/document/d/17LNxh10Jg-7G_l3q-ZuVrWchwhNlqC2LgwX3e2oRwxI/edit?tab=t.0 + +## Present + +* Blake Embrey @blakeembrey +* Jean Burellier @sheplu +* Wes Todd @wesleytodd +* Chris de Almeida @ctcpip +* Filip Kudla @kjugi +* Jon Church @jonchurch +* Sebastian Beltran @bjohansebas +* Ulises Gascón @ulisesgascon + +## Announcements: + +* Some recent releases made and other releases will be done this week (Tomorrow/Wednesday) +* Currently Express releases for 4x and 5.x are blocked due a security patch (soon available) + +## Agenda: + +* [Create a codemod repository](https://github.com/expressjs/discussions/issues/274) +* AI Generated Logo +* Tidelift +* [STF (Sovereign Tech Fund)](https://github.com/expressjs/discussions/issues/244) +* Cloudflare Account +* Collaboration with APMs on diagnostic channels and performance monitoring + +### Create a codemod repository + +* If we want to migrate the repo to the org we need to ensure that it has all the files (license, readme, CoC, etc…) +* Sebastian and Filip agree to move the repo to the org once the files are included. +* TC Team will accept the migration and normalize the teams, etc… in the GitHub settings after the migration. + +### AI Generated Logo + +* We created a train logo, but we are thinking about dropping it and going back to the drawing board w/ a human artist. +* We are going to drop the train logo. + +### Tidelift + +* We may not be allowed to use tidelift under the OpenJSF, it’s a gray area rn apparently. +We’d need the foundation to weigh in, aren’t there other OpenJSF projects using tidelift? + +### STF (Sovereign Tech Fund) + +* We discussed earlier today having a PM role to help manage the overall contract w/ the STF. +Wes; Should we create an ADR PR to hash out decision making in the open for the STF? aka do we need a PM, who will fulfill the role, how will they be paid. + +* We didn’t make any decisions about who will work on what milestones. +* Our next steps here is to create more structure around the Grant, and decide the deliverables which rollup to the milestones. + +* Can we iterate on milestones before things are finalized? What would we do if so. + +* Specifically: “Milestone 2: Implement the @express Scope for All Modules in npm - Aimed at improving package recognition and security by republishing under a unified scope.” + + The body of the milestone is: + + “Currently, our packages are published in npm without a scope, making it difficult for + end users to identify the official packages maintained by Express. This lack of clarity + increases the risk of users accidentally installing malicious packages due to + typosquatting and other similar attacks. + + By deprecating the existing packages and republishing them under the @express + scope, we will provide better support for our users and significantly reduce the + attack surface for security vulnerabilities. This change will enhance the overall + security and trustworthiness of the Express ecosystem. The team will also provide + blog posts and documentation to update the community around these improvements + as appropriate, as well as any documentation required for future maintainers.” + +### Cloudflare Account + +* Linux Foundation infra team is providing infra support. +* Things we’ve talked to them about are: password manager, mailing list, our domain +* Who owns our cloudflare account? Right now the domain is under IBM’s cloudflare account, apparently. (Strongloop acquired express back in the day, then IBM acquired Strongloop) +* We want to get access so we can update our DNS records to enforce HTTPS on github pages. +* James Snell got us in contact w/ IBM folks, + +### Collaboration with APMs on diagnostic channels and performance monitoring + +* No time to discuss \ No newline at end of file From 8730093258d723ef2d8fa2f486a644fbbee5da02 Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Fri, 17 Jan 2025 11:12:46 -0500 Subject: [PATCH 2/3] Update meetings/2024-11-11.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- meetings/2024-11-11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meetings/2024-11-11.md b/meetings/2024-11-11.md index 2e69223..c93083e 100644 --- a/meetings/2024-11-11.md +++ b/meetings/2024-11-11.md @@ -65,7 +65,7 @@ Wes; Should we create an ADR PR to hash out decision making in the open for the increases the risk of users accidentally installing malicious packages due to typosquatting and other similar attacks. - By deprecating the existing packages and republishing them under the @express + By deprecating the existing packages and republishing them under the `@express` scope, we will provide better support for our users and significantly reduce the attack surface for security vulnerabilities. This change will enhance the overall security and trustworthiness of the Express ecosystem. The team will also provide From 70b770191dc02b338549f406ec627fea8d4798db Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Fri, 17 Jan 2025 11:12:56 -0500 Subject: [PATCH 3/3] Update meetings/2024-11-11.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- meetings/2024-11-11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meetings/2024-11-11.md b/meetings/2024-11-11.md index c93083e..7735de2 100644 --- a/meetings/2024-11-11.md +++ b/meetings/2024-11-11.md @@ -56,7 +56,7 @@ Wes; Should we create an ADR PR to hash out decision making in the open for the * Can we iterate on milestones before things are finalized? What would we do if so. -* Specifically: “Milestone 2: Implement the @express Scope for All Modules in npm - Aimed at improving package recognition and security by republishing under a unified scope.” +* Specifically: “Milestone 2: Implement the `@express` Scope for All Modules in npm - Aimed at improving package recognition and security by republishing under a unified scope.” The body of the milestone is: