-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Strategic Initiative on Primordials #1439
Comments
Stuff to do once the TSC approves, ideally:
It's really important to me that people feel safe to participate in this so I ask that people make an even bigger effort to come with an open mind to discuss this in good faith for the benefit of the Node.js project and its users. |
Primordials are sometimes a security feature - just not always. I doubt anyone would argue that primordials create no contribution burden :-) |
"sometimes security" is no security IMO. I feel strongly that given our current threat model primordials do not provide any additional security guarantees without extensive static escape analysis that shows that the code is actually "safe" and tooling to enforce that on dependencies. I think it would be a lot more productive to focus on robustness and explicitly make security a non-goal since it would be a lot easier to build consensus around that and define that clearly. A use case describing something like "If a prototype is modified and an error is thrown - the uncaught error handler still fires" is measurable, enforceable and easy to discuss. We simply don't have a way to do that with "security". |
A strategic initiative SGTM but I wonder if we should concentrate on primordials - primordials are means to achieve robustness against prototype pollution, not the ends. Perhaps it can be named "prototype pollution" instead, and there are a range of solutions to this end - testing, using primordials, moving to native, some TC39 proposal (e.g. https://github.com/tc39/proposal-symbol-proto) to enhance the language, etc. And the goal of the initiative is just to find a balance between robustness and maintainability. Note that primordials aren't the only thing in scope currently even, there's also |
A moat-based defense is appropriate in security; it’s not all or nothing. |
More generally altering builtins and not just prototype pollution, e.g. the user changing
Agreed though I'd like to focus on the use of primordials and come up with a recommendation about the other areas (e.g when we should prefer native code, what we want from TC39 etc). I'm not sure what "testing" is here though.
I'm not sure why since:
The topic is "primordials" and not "robustness" since the initial focus I had in mind was to build consensus around when/how we use primordials rather than solve the larger issue though I think we can do the former and then tackle the later.
An unaudited and unverified security mechanism is a bad one that just creates a false sense of security and leads users to assume something that isn't secure is secure. It's "rolling your own crypto", in order to claim a piece of code is covered by primordials we'd need to formally prove it over the language with escape analysis, it's possible it's just not something anyone volunteered to do. Node is a big platform trusted by many companies and users and I won't feel comfortable with the project claiming security or isolation without verification much like I wouldn't want to ship our own unaudited scrypt. |
I totally agree that node shouldn't claim security externally without those verifications; that doesn't mean there's no value in internally attempting to mitigate security issues, whether partially or fully. Formal proofs and security audits are important but they're not the gate for something that improves security. |
As we did not have time to discuss this in the TSC meeting and get synchronous consensus I'll fall back to lazy consensus, if this does not have any -1s after 7 days I'll go ahead and start bootstrapping this. cc @nodejs/tsc |
+1 to lazy consensus fall back. |
I'm +1 with the approach. |
@benjamingr I think this is an extremely reasonable approach that most likely will strike a good balance between the competing goals involved. It's a tricky problem which will likely always be some sort of unsatisfying compromise solution, but hopefully a better compromise can be found. Or if not, at least there'll be more clarity around why it is the way it is and how to minimize the downsides :) |
Opened nodejs/node#49706 if no one objects in two days I'll follow through with the steps outlined in #1439 (comment) |
I've created the team https://github.com/orgs/nodejs/teams/primordials please let me know if you want to be added (or feel free to add yourself if TSC member). I will send a doodle ±next week I already pinged the people above. |
I'd like to be added to the team. |
I'd be happy to join as well |
This comment was marked as duplicate.
This comment was marked as duplicate.
Hello! Is there any progress made on this? I'd like to understand where we are to help with this. |
Feel free to take over, I am unlikely to be able to engage in this at a reasonable capacity until the war is over (mostly because I dedicate the volunteer work time intended for this to that). |
@benjamingr can you add tsc-agenda label? |
Sure, fwiw any collaborator may add the tsc agenda label to an issue afaik |
not to the tsc repository issues :-) |
It was a bit unclear during the TSC meeting what the ask from the TSC is. We created the team and a repository last year. |
I think @anonrig is frustrated (rightfully so) that I started this initiative but didn't actually do or accomplish anything (I haven't had time for any commitments due to the dynamic situation of the war + 90% of all my "open source" time being dedicated to volunteer work). I think he would prefer someone else to pick this up (I'm fine with that) rather than wait for the war in Israel to end (which might take another year or two). Obviously Yagiz can speak for themselves though. |
@benjamingr explained it well. i have nothing personal against the current work done. i understand and relate myself to whats happening around the world. i just want to proceed with this initiative. i am fine by waiting X months for the war to be over so that @benjamingr can continue but I know it's impossible to find that X value. |
@BridgeAR and I are having a call next Tuesday (Jul 2nd) at 16:00 UTC (6pm CEST) to discuss this. Please reach out on Slack or via email if you want to join. The meeting won't be streamed. |
Primordials are a way we use to add robustness to certain areas in our code and there has been a lot of debate about whether or not the issues they create regarding performance and ease of contribution are worth it in different contexts.
Context: #1438 nodejs/node#18795
I'd like to proposes a (ideally short lived) new strategic initiative around deciding their status in the project.
I'm happy to drive this as a strategic initiative if there is interest from the TSC with the following format:
I would really like it if collaborators who have spent a lot of time thinking about this participate, namely @aduh95 , @ronag @joyeecheung and @anonrig but there are a lot of others here like @isaacs and @ljharb that are welcome too weigh in and participate.
I think our opinions don't differ that much honestly and I think once we iron out the specifics we can come to a good resolution.
The text was updated successfully, but these errors were encountered: