doc: add req for sec wg review in some cases #21896
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -20,6 +20,7 @@ | |
| - [Breaking Changes to Internal Elements](#breaking-changes-to-internal-elements) | ||
| - [When Breaking Changes Actually Break Things](#when-breaking-changes-actually-break-things) | ||
| - [Reverting commits](#reverting-commits) | ||
| - [Additions to the Cryptography and Security APIs](#additions-to-the-cryptography-and-security-apis) | ||
| - [Introducing New Modules](#introducing-new-modules) | ||
| - [Deprecations](#deprecations) | ||
| - [Involving the TSC](#involving-the-tsc) | ||
|
|
@@ -378,6 +379,16 @@ multiple commits. Commit metadata and the reason for the revert should be | |
| appended. Commit message rules about line length and subsystem can be ignored. | ||
| A Pull Request should be raised and approved like any other change. | ||
|
|
||
| ### Additions to the Cryptography and Security APIs | ||
|
|
||
| Semver-minor commits that add or change cryptograpy/security APIs should be | ||
|
Member
There was a problem hiding this comment. Is semver-major ⊂ semver-minor? Otherwise, I don't see a reason not to include semver-major here. |
||
| treated with extra care. Due to the potential impact, it is important that | ||
| these APIs be constructed to reduce the potential for incorrect | ||
| usage. | ||
|
|
||
| These commits must have an approval from at least one member from the | ||
| [security working group](https://github.com/nodejs/security-wg). | ||
|
Member
There was a problem hiding this comment. Like others, I am fine with the recommendation around taking increased care, but I'm not sure if the Security-WG is the correct venue. The @nodejs/cryto team already exists for coverage of the crypto and openssl related items, and the @nodejs/security team already handles Node.js core security related items. Perhaps an alternative here would be to require approval from at least one member of the Security WG or either @nodejs/crypto or @nodejs/security?
Contributor
There was a problem hiding this comment. I was under the impression that the Security WG and @nodejs/security were one and the same thing. Is this not the case? Other than that, requiring approval from either the crypto or security team seems like a good idea.
Member
There was a problem hiding this comment.
@joepie91 Not really, there is @nodejs/security and @nodejs/security-wg.
Member
There was a problem hiding this comment.
They are not the same thing. I suggested not naming the WG "Security" to avoid exactly this kind of confusion. I don't know what I would name it though. Maybe "Security-and-Something-Else WG" or "Something-Else and Security WG".
Member
There was a problem hiding this comment. Oh, I guess I should explain the difference. Or at least provide links. Meanwhile, |
||
|
|
||
| ### Introducing New Modules | ||
|
|
||
| Semver-minor commits that introduce new core modules should be treated with | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cryptograpy -> cryptography