Express TC Meeting - 2016-05-04 about discussions HOT 24 CLOSED

Fyi... the expressjs org now has the ability to have private repos. Github has graciously upgraded the account at no charge.

from discussions.

Suggested agenda item (suggested by @bajtos):
Just curious if we know who owns the twitter account https://twitter.com/expressjs
It looks rather abandoned -- Would it be worthwhile to revive it (if we can)?

from discussions.

Thanks @cdnadmin -- Lets discuss, all. Personally, I'm not a big tweeter, but maybe someone else wants to "own" that?

from discussions.

No current or former Express members have had control of that account. If there is some way to take over that account, please feel free to acquire it, I would say.

from discussions.

Threw the dice! Tweeted to current @expressjs user on twitter http://bit.ly/1rS0aMo to see if he/she would be willing to donate the @expressjs handle. Alas, there hasn't been activity for over a year and very sparse before then too.

from discussions.

I reached out to @expressjs, too but got no response :-(
So looks like we may be out of luck.

from discussions.

Just as an update here, I created the Google Hangout this morning. Not sure if I can attend still, as I mentioned in the past one, but I will try (links are in the description above).

@crandmck I tried to directly invite you, but you showed up as three different accounts on Google and I had no idea which one you wanted to use. I invited all three just in case. I'm thinking that inviting you directly may allow you to turn on/off the live broadcast (or maybe anyone can just by using the participants link?).

from discussions.

Thanks @dougwilson I got the invitation. I'll join and if can't attend, I'll try to start the live broadcast.

from discussions.

Guys, I am on the call. Anyone joining?

from discussions.

Its not saying it is live on the observers link. Anyone know why?

from discussions.

I'm trying to join, but keep getting an error.

from discussions.

I got some emails from Doug, but when I click on the link it says

This video call isn't available right now. Try again in a few minutes.

Perhaps I should start a Hangout myself?

from discussions.

Maybe it is because doug is not on the call. I would try starting a new one.

from discussions.

The message I get on the observers link is that it is hosted by Doug Wilson and will start soon.

from discussions.

I'm on the call with everyone else. I'm waiting for someone to say when to start the broadcast to actually hit "on air".

from discussions.

there are five of us on the hangout now

from discussions.

I can't join it for some reason... Can someone send me the link?

from discussions.

@crandmck Does the link in OP work for you?

from discussions.

Notes from TC Meeting

Discussion of the "expressjs" Twitter account: https://twitter.com/expressjs. Several people have contacted the owner, but have not gotten a response. James noted that Twitter won't help to get control over an account unless there is a copyright, which we don't yet have. So at this point, it doesn't appear there is anything we can do.

Discussion of adding governance and contribution guidelines to the website (cf. expressjs/expressjs.com#632). @crandmck is going to open a PR before next TC meeting to add this info to the site.

Discussion of getting a clear license for the material on expressjs.com (cf. expressjs/expressjs.com#413)
Douglas Wilson 4:46 PM

So just if it helps, I'm not asking to change the copyright on anything :) Just get a clear license, even if it's just a going-forward license (perhaps for 5.x and newer docs).

James Snell 4:48 PM

 Doug: +1 yeah, we should be good on that front. I recommend just using CC-SA, opening an issue saying that's what it would be and leave that open for a couple days for discussion
beyond that it's just going ahead and doing it ;-)

I believe the conclusion is to use CC-SA license. TO DO: @crandmck to open an issue as suggested.

Discussion of reported DOS vulnerability in a dependency of Express
Douglas Wilson 4:49 PM

It is fairly easy, but it would be up to the Express app to actually use one of those APIs someplace, as it's not something vulun by default in an Express app.
It's not a very commonly-used API, either.
I mean, it's whatever we think. I typically just kept it in that room, but if we think we want to openly discuss them before fixes are out, then that's up to the TC :)
There is no good, viable work-around. There is one, but it would be hacky. We could discuss that work-around and see how nice it sounds.
The work-around is essentially adding a middleware that will rewrite certain incoming headers before any other processing.
It's not a paid account.
So we cannot make private repos yet.
Nice. I'm aware that's what Node.js does, and that would be awesome to get a central place ;)
Our first vulun as the TC :D
I'm sure we'll work out the details to get his more streamlined for the future :)

Action for @jasnell is to get expressjs a paid account so we can have a private repo for security discussions. Then we can decide if/when to publicize this vulnerability.

from discussions.

I sent a note to @mikeal regarding the upgrade to a paid account who indicated that he has sent off a request. Now just waiting to hear back.

from discussions.

@dougwilson @jasnell @mikeal @crandmck @blakeembrey et al (pls forward if I needed to reference someone else): i grabbed this twitter handle, "expressjs", in case y'all want to use it in the interim--i.e. till "expressjs" gets back, if ever. this might not be a big enough priority, but I figured I'd grab it just in case.

from discussions.

Added expressjs/expressjs.com#634 for the docs license item.

from discussions.

The recorded video: https://www.youtube.com/watch?v=Wb-lU8s2sOE

from discussions.

meeting happened long back, closing. Please re-open if anything is outstanding here.

from discussions.