Minutes 2024-03-27
Meeting details
- Time: on Mar 27th, 2024, at 17:00 UTC. (Other timezones; iCal download)
- Duration: 1 hour, timeboxed. We start 30min earlier for introductions/socializing.
- Location: On TPRF’s Slack server, in #cpan-security, w/video.
16:30 UTC – Pre-meeting socializing
17:00 UTC – Meeting start
Welcome
- Meeting chair: @oalders
- Meeting secretary: @sjn
Attendees, absents & regrets
- Attendees
- @sjn
- @timlegge (left early)
- @stigtsp
- @oalders
- @petek (left early)
- Regrets
- Absents
Approve meeting minutes
-
Previous meeting minutes, up to and including 2024-03-13 was approved in PR#55 by @garu, @oalders and @sjn
-
These minutes to be approved in PR#56
Quick summary of current work
- CPAN Metadata & Software Bills of Materials
- @sjn - Meeting with Steve Springett (OWASP/CycloneDX) next week, about @sjn’s supply chain SBOM roles document
- @sjn - Started planning proposals for metadata changes + SBOM at PTS
- @sjn - To start SBOM intro presentation
- CPAN Privacy and Compliance
- CPAN Provenance & Supply Chain Security
- CPAN Security Outreach & Information
- @sjn - Update “how to report” page with contact info for PAUSE admins (ref. https://pause.perl.org/pause/query?ACTION=pause_04about#credits)
- @timlegge - Write a blog post about ongoing CVE registration efforts with @stigtsp
- CPAN Security Patch Tooling
- CPAN Software Composition Analysis
- CPAN Transparency Logs
- CPAN Vulnerability Index
- CPANSec Governance, Policy & Funding
- @sjn - Update charter to make user security issues with PAUSE out-of-scope, and refer these to pause-admin@perl.org. If the PAUSE folks would like to invite us at some point, we can update the charter again.
- Information around recent PAUSE account compromises has been lacking, and which would be great to have improved.
- Review basic opsec on PAUSE systems, it needs to be up-to-speed before we consider working on TUF. RJBS is working on PAUSE-in-the-cloud.
- CPAN ecosystem trust is also at stake.
- @ingy contacts NEILB to see if we (CPANSec) can help somehow
- @stigtsp found some removed dists: https://github.com/batchpause/PAUSE-git/commit/32f55d453cef4abaed76ddcf454130569b342734
- @oalders, @timlegge, @leont and @sjn - Met on 2023-03-22 about budget that can be used for fundraising. Initial summary is at https://cryptpad.fr/code/#/2/code/edit/ot0NCG1yLcqELuwiqZ2tZD2l/
- @sjn - Update charter to make user security issues with PAUSE out-of-scope, and refer these to pause-admin@perl.org. If the PAUSE folks would like to invite us at some point, we can update the charter again.
Ongoing vulnerabilities
- Two ongoing vulnerabilities being resolved.
Operating changes
- None.
Upcoming events and deadlines
- PTS 2024-04-25 to 2024-04-28
Elect next meeting chair and secretary
- Chair: @oalders
- Secretary: @sjn
Next meeting date, time and location
- Next meeting is April 10th 2024, 17:00 UTC in #cpan-security on TPRF Slack.