Adding a "security" property to dist/index.json

[bnb]

Per a brief discussion in today's Node.js Security Working Group meeting, I wanted to bring up the possibility of adding a security property into the dist/index.json.

To outline a possible structure/implementation for this property:

• add a security property to each new release object, from the date it's implemented and beyond
• this property has a key of security and a boolean as the value
  • if the release is a security release, this boolean will be true
  • if the release is not a security release, this boolean will be false

The intent is that this is similarly structured to LTS, providing a signal to consumers of the file that a release is a security release.

Theoretically, developers (us included!) could use this in a few ways:

• loop over every release in a release line until they encounter true – when they encounter true for the first time, they know that version is the minimum secure version
• create a log of all security releases, and tie those to blog posts (which can be programmatically linked thanks to our blog post structure)
• in lists displaying Node.js versions, indicate which versions are security releases (think something like Glitch or RunKit)

Hopefully this wouldn't be a massive burden for y'all when maintaining releases, but if it is that's 100% understandable ❤️

[richardlau]

Seems reasonable, although it would be reliant on the person doing the release to update the property. Security releases are typically not done by the regular releasers.

[sam-github]

It would have to be part of the release process, and it could also be part of the security release process. The person going through the sec release process often isn't doing the actual cutting of the release, so a step there of "check that the metadata was correct" could be useful as a double-check.

[richardlau]

The tool to generate dist/index.json is https://github.com/nodejs/nodejs-dist-indexer.

[richardlau]

I imagine it would be more the security release process, with the property defaulting to false like the NODE_VERSION_IS_RELEASE flag is.

[MylesBorins]

We may want to add a similar NODE_VERSION_IS_SECURITY_RELEASE tag in the build

[mhdawson]

Both adding it to the meta data and @MylesBorins suggestion makes sense to me. +1

[richardlau]

I'll have a look at what changes would be needed (on the Node.js core build side and nodejs-dist-indexed).

[richardlau]

Raised nodejs/node#27612 and nodejs/nodejs-dist-indexer#8.

[richardlau]

Added to the Release agenda as this is a change to the release process.