continuity policy and package registries?

[ctcpip]

it didn't occur to me before when discussing #1327, but do we also need to address this issue wrt package registries, e.g. npm ?

cc @bensternthal

[bensternthal]

@ctcpip I 100% agree. We can tackle this next.

[mcollina]

node.js has https://www.npmjs.com/~nodejs-foundation

[tobie]

Discussed in the CPC call today. General agreement to include this in the continuity policy. @bensternthal to open a PR.

[tobie]

Notes from this week's CPC call:

• Using HospitalRun as a test case
• Issue transferring the package
• Maintainers filed issues with NPM
• Waiting on the result of having filed this issue
• Discussion in CPC suggests we should bring this to the security collab space

[0xAverageUser]

@bensternthal @ctcpip, dropping my thoughts here after today's meeting.

I think the issue spans a spectrum based on the number of maintainers per project. The policy result would be very different depending on that number.

• For projects with many maintainers (think 20+ on npm): Adding an OpenJS maintenance account creates a honeypot, increases risk with a single point of failure.
• Few or no maintainers (0-3 active): OpenJS plays a critical role in supporting, takeover, archiving, and emergency admin removal (e.g., xz-utils).

These two extremes are I think orthogonal. The policy should adapt to the number of maintainers. If this is relevant, I'm happy to contribute.

[tobie]

I like this framing quite a bit, @0xAverageUser. Could be used more broadly/elsewhere.

[tobie]

Notes from this week's CPC call:

• Was discussed in the Security collab space
• General agreement as how to move forward
• Split doc into two different pieces (one for maintainers and one for consumers)
• Now the work needs to happen
• Planning to work on it in next working session

[ruddermann]

This was discussed in the 11 March CPC Working Session (attended by @bensternthal @joesepi @kj-powell @ruddermann).

NOTE: The next meeting on this topic will involve reviewing the initial draft npm Continuity Policy in this Monday 17 March's Security Collab Space. Please attend if you'd like to contribute!

After reviewing npm Org & Account Management and Permissions Overview DRAFT we decided:

• Create a new npm Continuity Policy doc with an approach that involves adding an OpenJS account to Maintainer managed npm Organization(s) inspired by the OpenJS GitHub Continuity Policy.
• OpenJS will create a unique user account for each npm Organization.
• The credentials and 2FA for each account will be stored in a separate 1Password vault only accessible by 1-2 key OpenJS staff (likely @rginn and @bensternthal).
• Include compliance to this policy in the OpenJS project onboarding checklist
• Include best practices and recommendations related to npm in the Q1'25 update to the Security Compliance Guidelines.

Next Steps

• Proceeding with drafting a new OpenJS npm Continuity Policy this week. This will be done by @ruddermann in the Continuity Policy tab of the DRAFT npm gDoc .
• Add review of the new draft policy to 17 March Security Collab Space for discussion and feedback

[bjohansebas]

OpenJS will create a unique user account for each npm Organization.

I'm not entirely clear on this aspect. Do you mean that a new user will be created, for example, one for Node.js, another for Express, and so on for each project?

Attending the meetings is more complicated for me now, but this is my only question at the moment.