Minutes 2024-02-10
Minutes 2024-02-10
Meeting was on Saturday February 10th 2024, at 15:00 UTC, on the TPRF Slack server, in the #cpan-security channel.
Attendees, absents & regrets
- Attendees
- @oalders, @tux, @timlegge, @leont,Β @stigtsp, @sjn
- Regrets
- @hydahy, @tinita
Quick summary of current work
- CPAN Metatata & Software Bills of Materials
- @tux β Create a guide with advice on what to do when they learn they have a vulnerability.
- @sjn β Reported from FOSDEM and a FOSDEM Fringe SBOM workshop he attended.
- CPAN Privacy and Compliance
- CPAN Provenance & Supply Chain Security
- CPAN Security Outreach & Information
- CPAN Security Patch Tooling
- CPAN Software Composition Analysis
- CPAN Transparency Logs
- CPAN Vulnerability Index
- @stigtsp β Reported on his conversation with Mickey. Work on exposing CVE data on MetaCPAN is ongoing. An API endpoint is already up (created at PTS 2023).
- @stigtsp β Github actions not available not for converting CPAN::Audit vulns to @garuβs new format; Looking for alternatives
- @stigtsp β Registering CVE identifiers for older unpublished vulnerabilities, to communicate security updates that may havenβt been applied downstream
- CPANSec Governance, Policy & Funding
- @sjn β TPRF is looking for someone to lead the application project. @sjn and @oalders have been contacted.
Ongoing vulnerabilities
- @stigtsp β libwww-perl DoS vuln probably not in scope, we recommend making it public.
Operating changes
- Change of name: CPAN Security Group (short: CPANSec) β 2 voted in favor, 4 abstained
Upcoming events and deadlines
- TPRF Community Representatives meeting 2023-02-16 @ 17:30 UTC on TPRF Slack
- PTS 2024 (April 25-28 2024 in Lisbon, Portugal, organized by @garu, @book, @elbeho and @neilb)
- German Sovereign Tech Fund, Application deadline in Q2 2024
Next meeting date, organizer & secretary
- Time: Feb 24th 2024, at 15:00 UTC on TPRF Slack
- Organizer: @oalders
- Secretary: @timlegge