doc: add binary generation threat #1433
Conversation
Co-authored-by: Yagiz Nizipli <[email protected]>
|
There is the supply chain vector as well where the tooling for generating the binaries can be compromised outside CI pipeline and brought in via a trusted source. |
I think that still falls in the |
|
Yep! |
|
Is it worth including https://github.com/nodejs/unofficial-builds which we use for the alpine docker images? |
There was a problem hiding this comment.
Has any consideration been given to the website now recommending ways of installing Node.js outside of the project's control (e.g. nvm, fnm) but are the default options if visiting the website?
I also don't see the nodejs/nodejs.org GH repo which is where the download links/blog posts are published. This is separate from Vercel, where the website is deployed.
We discussed it in the last security wg meeting and we'll include nodejs.org yes. I'll do it right after this PR lands. |
There was a problem hiding this comment.
A few typographic suggestions - this looks like a good addition overall. I'll try and go through it in a bit more detail to see if I can think of anything else too.
(Also, primarily as a note to self when I come back [here])https://github.com/nodejs/security-wg/blob/add-more-threads-to-maintainers-model/MAINTAINERS_THREAT_MODEL.md) is the rendered version from the PR branch)
Co-authored-by: Stewart X Addison <[email protected]> Co-authored-by: Ulises Gascón <[email protected]>
Co-authored-by: Richard Lau <[email protected]>
Please take a look:
@nodejs/tsc @nodejs/build @nodejs/releasers @nodejs/security @nodejs/docker
cc: @nodejs/security-wg