|
| 1 | +# io.js TC Meeting 2014-12-17 |
| 2 | + |
| 3 | +## Links |
| 4 | + |
| 5 | +* **Google Hangouts Video**: https://www.youtube.com/watch?v=7s-VJLQEWXg |
| 6 | +* **GitHub Issue**: https://github.com/iojs/io.js/issues/163 |
| 7 | +* **Original Minutes Google Doc**: https://docs.google.com/document/d/1PoqGfxpfTFKv5GcKmhMM2siZpPjT9Ba-ooBi-ZbYNi0 |
| 8 | + |
| 9 | +## Agenda |
| 10 | + |
| 11 | +Extracted from https://github.com/iojs/io.js/labels/tc-agenda prior to meeting. |
| 12 | + |
| 13 | +* Bundle tick processor with iojs #158 https://github.com/iojs/io.js/issues/158 |
| 14 | +* Release Cycle Proposal #168 https://github.com/iojs/io.js/issues/168 |
| 15 | +* Module search security #176 https://github.com/iojs/io.js/pull/176 |
| 16 | +* Dealing with feature requests |
| 17 | + |
| 18 | +## Review of last meeting |
| 19 | + |
| 20 | +* Move readable-stream to io.js and flip authoritative flow of code, docs and issues |
| 21 | +* Soft deprecation of domains, accept PR #15 as last feature addition |
| 22 | +* Caine, discussion continued on GitHub |
| 23 | +* Project name is “io.js”, binary name is “iojs” |
| 24 | +* Extending options from prototype, discussion continued on GitHub |
| 25 | +* Promises statement for issue #11 |
| 26 | +* Working with nvm, etc. |
| 27 | + |
| 28 | +## Minutes |
| 29 | + |
| 30 | +### Present |
| 31 | + |
| 32 | +* Bert (TC) |
| 33 | +* Chris (TC) |
| 34 | +* Trevor (TC) |
| 35 | +* Isaac (TC) |
| 36 | +* Rod (build, facilitator) |
| 37 | + |
| 38 | +### Bundle tick processor with iojs #158 |
| 39 | + |
| 40 | +https://github.com/iojs/io.js/issues/158 |
| 41 | + |
| 42 | +* Bert: important because it’s tied to the version of V8, not practical to put it in npm because one is needed for each version |
| 43 | +* Isaac: this is minimal and shouldn’t set a standard for just adding more stuff to core (i.e. keep core minimal), so +1 |
| 44 | + |
| 45 | ++1 from Isaac, +1 from Bert, **no disagreement amongst group, consensus has been reached on bundling a tick processor with releases.** |
| 46 | + |
| 47 | +### Release Cycle Proposal #168 |
| 48 | + |
| 49 | +https://github.com/iojs/io.js/issues/168 |
| 50 | + |
| 51 | +* Bert & Isaac discussed how this feeds into the ability to have frequent releases. Discussed semver plays into this. |
| 52 | +* Rod: consensus seems to be around having stability, predictability, lead-time but more frequent releases. |
| 53 | +* **Bert: Move discussion to #168. Still premature to discuss here.** |
| 54 | + |
| 55 | +### Module search security #176 |
| 56 | + |
| 57 | +https://github.com/iojs/io.js/pull/176 |
| 58 | + |
| 59 | +* Limiting node_modules search path to $HOME as a top-level |
| 60 | +* Isaac ~ -1 on this because EACCES already happens when you don’t have permission |
| 61 | +* Isaac and Bert bikeshedded Windows C:\ writability and security on Windows. i.e. if someone can install code on a shared system above where a node application is running (e.g. C:\) then you could have untrusted code run by your application. |
| 62 | +* Isaac: this PR is only addressing projects running in the home directory. |
| 63 | +* Rod: module system is locked-down, TC needs to come to consensus that this is a _security_ issue and therefore warrants breaking it. |
| 64 | +* Chris: `useradd node_modules` is a situation this could be a problem |
| 65 | +* Isaac: not convinced this is a security problem, even the `useradd` situation requires root access on a system. |
| 66 | +* Bert: this is an academic issue, it may _feel_ wrong but that doesn’t mean it’s strictly a security issue. |
| 67 | +* Isaac: proposed the issue be closed as not a security issue. |
| 68 | +* **No consensus that this is a security issue. Move discussion back to GitHub, potentially close issue, potentially bringing discussion back here. Encourage users to bring examples of real problems.** |
| 69 | + |
| 70 | + |
| 71 | +### Dealing with feature requests |
| 72 | + |
| 73 | +* Bert: asking for discussion about what to do with feature requests that come up but aren’t clearly something that are wanted. |
| 74 | +* Bert: should we put a time limit on feature requests? Would like some guidelines for how to deal with these. |
| 75 | +* Chris: have already been putting a 4-6 day window before closing them. If there is no code then it’s easier to close. If there is code then there could be more discussion. |
| 76 | +* Isaac: this is a broader problem about the roadmap-setting process. |
| 77 | +* Rod & Isaac: It’s up to someone on TC (or elsewhere) to start coming up with a roadmap, or at least start the discussion. |
| 78 | +* **Agreed to start a GitHub discussion on roadmap and soliciting feedback from the community.** |
| 79 | +* Rod: in an open model, it’s up to TC and those with commit access to take the initiative to just close things, given enough warning and chance for discussion and better arguments. |
| 80 | +* Isaac: builtins (like Blog of FileReader) are TC39 / WhatWG groups out there that are doing this at the language & V8 level and we pull from there. It should be straightforward to close those issues. |
| 81 | +* Bert: the roadmap shouldn’t be about locking down the dev process and tightly limiting scope of what’s added. |
| 82 | +* **Agreed that feedback to all contributors (including TC), regarding closing issues: close issues that are instinctively bad and worth closing (close can be undone), anything potentially controversial can be flagged with a “will close” but give ~ 1 week for discussion, disagreement, lobbying etc.** |
| 83 | + |
| 84 | + |
| 85 | +### Logos |
| 86 | + |
| 87 | +* **Agreed that the release is the only _technical_ blocker from the TC’s perspective to a logo, so deferring discussion till then. Encourage interested parties from discussing this further on GitHub issue #37.** |
| 88 | + |
| 89 | +### Next meeting |
| 90 | + |
| 91 | +* Bert proposed 2014-12-30 as next meeting time |
0 commit comments