What IS this security initiative?

[williamkapke]

Here are the choices:

Top Level Project:
https://github.com/nodejs/TSC/blob/master/Project-Lifecycle.md

Top-Level Working Group:
https://github.com/nodejs/TSC/blob/master/WORKING_GROUPS.md

Core Working Group:
https://github.com/nodejs/node/blob/master/WORKING_GROUPS.md

It seems to me that this is probably a rare Top Level Project... but it is skipping the incubation phase I guess.

If everyone agrees, then this project should work towards completing the steps detailed in Project-Lifecycle.md.

Currently, @sam-github has been doing some nice work in #9 towards making it a Working Group- so I thought we should make sure the effort is in the right direction.

@nodejs/tsc

[sam-github]

I confess I have no opinion.

The only difference between top-level working groups and core working groups is whether they are ratified by the TSC or the CTC. There seems to be discussion even among the TSC/CTC whether they are actually different, I don't have an opinion.

Top-level projects seem to me to be code that is arms-length from Node.js. A version manager, for example, might be a new TLP, or if the npm client was merged into the node foundation, it would be. I don't see the Sec group as like that, since they would be concerned with security of Node.js itself, the core, much like the benchmarking group is concerned with the performance of Node.js.

I can see the Sec WG starting some work that they would then decide should be factored out into a seperate top-level project - maintaining the nsp donation and its servers, perhaps (just an example, its not clear that will be done, or by whom).

That said, I've no strong opinion. All the 3 options seem capable of doing the same work (which makes me think that there may be too many options, but that's not something I have a strong opinion on, either).

[sam-github]

The list of responsibilities should be specific. Once established, these responsibilities are no longer governed by the TC and therefore should not be broad or subjective. The only recourse the TC has over the working group is to revoke the entire charter and take on the work previously done by the working group themselves.

After reading even more, @williamkapke , is this the source of your concern? That the purpose of this "Working Group" is not very specifically defined, and in order for it to decide on its own what it will do, it needs to be a top-level project?

[williamkapke]

Really, my only concern is just that it is set up with the correct reach and authority according to the Board's wishes (since this was handed down from the Board).

MY understanding is that the public API is a gigantic priority and portion of this group's focus... meaning the Project (code) is a main focus. Maybe I misunderstood the immediate priorities.

[joshgav]

My suggestion is to ratify this as a TSC WG for now for the following reasons:

• It seems broader than Core because ecosystem modules are a prime part of its scope.
• It seems to fit in the definition of Node core as an "adjacent project".
• Although it may eventually grow in scope to warrant an independent TLP, it seems premature to add that level of process and expectation now.

Do we want the TSC to ratify this now?

/cc @nodejs/tsc

[sam-github]

This WG is still in the incubation state, @mhdawson suggests we wait until we've made more progress and then consider applying to be a formal working group. We can reopen this at that time.