From e7eebc1da92a80aa85319f25326453abb35bbe3c Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 13 May 2024 11:58:19 -0300 Subject: [PATCH 1/9] votes: initiatives for 2024 --- votes/initiatives-2024.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 votes/initiatives-2024.json diff --git a/votes/initiatives-2024.json b/votes/initiatives-2024.json new file mode 100644 index 00000000..e8c0c21f --- /dev/null +++ b/votes/initiatives-2024.json @@ -0,0 +1,16 @@ +{ + "subject": "Initiatives 2024", + "headerInstructions": "Please create a ranking 1 to 8 to define the priority of security initiatives for 2024.", + "candidates": [ + "Permission Model - Symlink & Sandbox investigation", + "Automate Security release process", + "Including SBOMBs with Node.js", + "Audit build process for dependencies", + "Node.js maintainers: Threat Model", + "Defense in Depths policy", + "Improve CII Best Practices and reach silver badge", + "Defining scopes of the Security team" + ], + "votes": { + } +} From 1d4a612f8440467ec28ae3d7c59f54ab5623bdcf Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 13 May 2024 11:59:19 -0300 Subject: [PATCH 2/9] vote: add Rafael Gonzaga vote --- votes/initiatives-2024.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/votes/initiatives-2024.json b/votes/initiatives-2024.json index e8c0c21f..d64fa987 100644 --- a/votes/initiatives-2024.json +++ b/votes/initiatives-2024.json @@ -12,5 +12,15 @@ "Defining scopes of the Security team" ], "votes": { + "Rafael Gonzaga ": { + "Permission Model - Symlink & Sandbox investigation": 3, + "Automate Security release process": 1, + "Including SBOMBs with Node.js": 6, + "Audit build process for dependencies": 8, + "Node.js maintainers: Threat Model": 4, + "Defense in Depths policy": 2, + "Improve CII Best Practices and reach silver badge": 7, + "Defining scopes of the Security team": 5 + } } } From f2749a9b8b6b0551d3e723670ee73bf573937467 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Mon, 13 May 2024 15:04:23 -0400 Subject: [PATCH 3/9] add my votes Signed-off-by: Michael Dawson --- votes/initiatives-2024.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/votes/initiatives-2024.json b/votes/initiatives-2024.json index d64fa987..1cc4822e 100644 --- a/votes/initiatives-2024.json +++ b/votes/initiatives-2024.json @@ -23,4 +23,16 @@ "Defining scopes of the Security team": 5 } } + "votes": { + "Michael Dawson ": { + "Permission Model - Symlink & Sandbox investigation": 8, + "Automate Security release process": 1, + "Including SBOMBs with Node.js": 4, + "Audit build process for dependencies": 3, + "Node.js maintainers: Threat Model": 2, + "Defense in Depths policy": 5, + "Improve CII Best Practices and reach silver badge": 6, + "Defining scopes of the Security team": 7 + } + } } From 4946722dcc6a1659b222200640c441a494bb7c72 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 13 May 2024 16:19:19 -0300 Subject: [PATCH 4/9] fixup! add my votes --- votes/initiatives-2024.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/votes/initiatives-2024.json b/votes/initiatives-2024.json index 1cc4822e..fe625096 100644 --- a/votes/initiatives-2024.json +++ b/votes/initiatives-2024.json @@ -21,9 +21,7 @@ "Defense in Depths policy": 2, "Improve CII Best Practices and reach silver badge": 7, "Defining scopes of the Security team": 5 - } - } - "votes": { + }, "Michael Dawson ": { "Permission Model - Symlink & Sandbox investigation": 8, "Automate Security release process": 1, From 5f8c1248aceabfe3a6d007bbc9562053ae5c899b Mon Sep 17 00:00:00 2001 From: marco-ippolito Date: Tue, 14 May 2024 19:11:48 +0200 Subject: [PATCH 5/9] vote: add Marco vote --- votes/initiatives-2024.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/votes/initiatives-2024.json b/votes/initiatives-2024.json index fe625096..1136023f 100644 --- a/votes/initiatives-2024.json +++ b/votes/initiatives-2024.json @@ -31,6 +31,16 @@ "Defense in Depths policy": 5, "Improve CII Best Practices and reach silver badge": 6, "Defining scopes of the Security team": 7 + }, + "Marco Ippolito ": { + "Permission Model - Symlink & Sandbox investigation": 6, + "Automate Security release process": 1, + "Including SBOMBs with Node.js": 3, + "Audit build process for dependencies": 4, + "Node.js maintainers: Threat Model": 2, + "Defense in Depths policy": 8, + "Improve CII Best Practices and reach silver badge": 7, + "Defining scopes of the Security team": 5 } } } From 654f46c14f24f15579ee4d7dbbd5256b2500df16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 14 May 2024 20:10:19 +0200 Subject: [PATCH 6/9] =?UTF-8?q?vote:=20add=20Ulises=20Gasc=C3=B3n=20vote?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- votes/initiatives-2024.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/votes/initiatives-2024.json b/votes/initiatives-2024.json index 1136023f..90ac8aff 100644 --- a/votes/initiatives-2024.json +++ b/votes/initiatives-2024.json @@ -41,6 +41,16 @@ "Defense in Depths policy": 8, "Improve CII Best Practices and reach silver badge": 7, "Defining scopes of the Security team": 5 + }, + "Ulises Gascón ": { + "Permission Model - Symlink & Sandbox investigation": 6, + "Automate Security release process": 2, + "Including SBOMBs with Node.js": 3, + "Audit build process for dependencies": 4, + "Node.js maintainers: Threat Model": 1, + "Defense in Depths policy": 8, + "Improve CII Best Practices and reach silver badge": 7, + "Defining scopes of the Security team": 5 } } } From 5713c4320083ad812c830889dd06637c29b3237f Mon Sep 17 00:00:00 2001 From: "Thomas.G" Date: Tue, 14 May 2024 20:31:45 +0200 Subject: [PATCH 7/9] vote: add Thomas Gentilhomme vote --- votes/initiatives-2024.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/votes/initiatives-2024.json b/votes/initiatives-2024.json index 90ac8aff..dea925af 100644 --- a/votes/initiatives-2024.json +++ b/votes/initiatives-2024.json @@ -51,6 +51,16 @@ "Defense in Depths policy": 8, "Improve CII Best Practices and reach silver badge": 7, "Defining scopes of the Security team": 5 + }, + "Thomas Gentilhomme ": { + "Permission Model - Symlink & Sandbox investigation": 6, + "Automate Security release process": 1, + "Including SBOMBs with Node.js": 3, + "Audit build process for dependencies": 4, + "Node.js maintainers: Threat Model": 2, + "Defense in Depths policy": 8, + "Improve CII Best Practices and reach silver badge": 7, + "Defining scopes of the Security team": 5 } } } From 9b2b6c78ae862d63a370268300c3252c8ae662d9 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Tue, 14 May 2024 16:39:48 -0300 Subject: [PATCH 8/9] votes: add results --- votes/initiatives-2024.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/votes/initiatives-2024.json b/votes/initiatives-2024.json index dea925af..40272aca 100644 --- a/votes/initiatives-2024.json +++ b/votes/initiatives-2024.json @@ -1,6 +1,18 @@ { "subject": "Initiatives 2024", "headerInstructions": "Please create a ranking 1 to 8 to define the priority of security initiatives for 2024.", + "outcome": { + "ranking": [ + "Automate Security release process", + "Node.js maintainers: Threat Model", + "Including SBOMBs with Node.js", + "Audit build process for dependencies", + "Defining scopes of the Security team", + "Permission Model - Symlink & Sandbox investigation", + "Defense in Depths policy", + "Improve CII Best Practices and reach silver badge" + ] + }, "candidates": [ "Permission Model - Symlink & Sandbox investigation", "Automate Security release process", From 0c2d3d2a402dbf675bffecd394fde2ef50e957f4 Mon Sep 17 00:00:00 2001 From: marco-ippolito Date: Wed, 15 May 2024 10:12:54 +0200 Subject: [PATCH 9/9] fix: typos --- votes/initiatives-2024.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/votes/initiatives-2024.json b/votes/initiatives-2024.json index 40272aca..153851f1 100644 --- a/votes/initiatives-2024.json +++ b/votes/initiatives-2024.json @@ -5,7 +5,7 @@ "ranking": [ "Automate Security release process", "Node.js maintainers: Threat Model", - "Including SBOMBs with Node.js", + "Including SBOM with Node.js", "Audit build process for dependencies", "Defining scopes of the Security team", "Permission Model - Symlink & Sandbox investigation", @@ -16,7 +16,7 @@ "candidates": [ "Permission Model - Symlink & Sandbox investigation", "Automate Security release process", - "Including SBOMBs with Node.js", + "Including SBOM with Node.js", "Audit build process for dependencies", "Node.js maintainers: Threat Model", "Defense in Depths policy", @@ -27,7 +27,7 @@ "Rafael Gonzaga ": { "Permission Model - Symlink & Sandbox investigation": 3, "Automate Security release process": 1, - "Including SBOMBs with Node.js": 6, + "Including SBOM with Node.js": 6, "Audit build process for dependencies": 8, "Node.js maintainers: Threat Model": 4, "Defense in Depths policy": 2, @@ -37,7 +37,7 @@ "Michael Dawson ": { "Permission Model - Symlink & Sandbox investigation": 8, "Automate Security release process": 1, - "Including SBOMBs with Node.js": 4, + "Including SBOM with Node.js": 4, "Audit build process for dependencies": 3, "Node.js maintainers: Threat Model": 2, "Defense in Depths policy": 5, @@ -47,7 +47,7 @@ "Marco Ippolito ": { "Permission Model - Symlink & Sandbox investigation": 6, "Automate Security release process": 1, - "Including SBOMBs with Node.js": 3, + "Including SBOM with Node.js": 3, "Audit build process for dependencies": 4, "Node.js maintainers: Threat Model": 2, "Defense in Depths policy": 8, @@ -57,7 +57,7 @@ "Ulises Gascón ": { "Permission Model - Symlink & Sandbox investigation": 6, "Automate Security release process": 2, - "Including SBOMBs with Node.js": 3, + "Including SBOM with Node.js": 3, "Audit build process for dependencies": 4, "Node.js maintainers: Threat Model": 1, "Defense in Depths policy": 8, @@ -67,7 +67,7 @@ "Thomas Gentilhomme ": { "Permission Model - Symlink & Sandbox investigation": 6, "Automate Security release process": 1, - "Including SBOMBs with Node.js": 3, + "Including SBOM with Node.js": 3, "Audit build process for dependencies": 4, "Node.js maintainers: Threat Model": 2, "Defense in Depths policy": 8,