Proposal: Security Working Group

Hi all,

In a recent core team meeting, we discussed the idea of forming this “Security WG”. We’re pretty excited about the idea, but there are a few steps that would be good before making it “official”.

  • Scope: The most important thing is that we would want to have a kind of clearly defined “scope” or “mission statement” for the working group. It doesn’t necessarily have to be super long but it should be fairly clear. The post announcing the Domain Working Groups contains several examples.
    • Actually, the “original post” of this thread is the kind of thing we are talking about, but I’m not sure if plans changed during the course of the discussion.
    • It might also be interesting to enumerate things that are not in scope (e.g., triage vulnerability reports).
  • Name: We need to settle on a name – the “Security WG” is pretty vague and sounds like the sort of place one might send a security-related bug report. But that’s not really the plan for this WG, so can we find a better name?

In general, working groups are meant to be affiliated with some full Rust team (e.g., the NLL WG is under the compiler team): in this case, that would probably just be the “Core team”, since this doesn’t seem like a WG that derives naturally from any other. That’s fine.

Stepping back, I think we’re still experimenting with the precise process we should use for creating WGs. I’d like to see us create a central listing of Rust working groups, where you can easily see the scope, contact information, chat channel, and other things about each group. I’ll probably start by mocking this up in a GitHub issue, but hopefully this would eventually move to the web page or some other place.