Meeting details
- Time: on May 15th, 2024, at 17:00 UTC. (Other timezones; iCal download)
- Duration: 1 hour, timeboxed. We start 30min earlier for introductions/socializing.
- Location: On TPRF’s Slack server, in #cpan-security, w/video.
16:30 UTC – Pre-meeting socializing
17:00 UTC – Meeting start
Welcome
- Meeting chairs: @timlegge, @tux
- Meeting secretary: @sjn
Attendees
- @tux
- @sjn
- @timlegge (left early)
- @stigtsp
- @book (arrived late)
- @leont (arrived late)
Regrets
Absents
Approve previous meeting minutes
- Previous meeting minutes were approved in PR#65 by @oalders, @timlegge and @stigtsp
Quick summary of current work
- CPAN Metadata & Software Bills of Materials
- CPAN Privacy and Compliance
- CPAN Provenance & Supply Chain Security
- CPAN Security Outreach & Information
- @sjn – Set up project: CVE Registration
- @stigtsp – New public Matrix channel thanks to @ingy and @stigtsp, on https://matrix.to/#/#cpansec-discussion:matrix.org
- Moderation rules and permanent setup on matrix.perl.org on the way
- @ingy and @stigtsp run and pay for the servers
- @ingy, @stigtsp and @tinita and @ilmari are moderators
- @stigtsp – Should we propose updates to perlsec and perlsecpolicy docs in time for 5.40.*?
- What’s written looks good; we could add some info on CPANSec
- @stigtsp – new project for “CPAN Secure by Default” (vote: unanimous in favor)
- @sjn – CoC to be added
- CPAN Security Patch Tooling
- CPAN Software Composition Analysis
- CPAN Transparency Logs
- CPAN Vulnerability Index
- CPANSec Governance, Policy & Funding
- @sjn – Charter simplification committed
- CPAN CVE Registration
- CPAN Secure by Default
Ongoing and updated vulnerabilities
Operating changes
- @timlegge – CNA progress update
- @stigtsp and @timlegge has discussed a little, I have done a little research but not much change. Hope to contact the CVE folks next week to initiate the process
- @sjn – Clarify the purpose of the mailing list. Who may join? What may (not) be discussed? How do we accept new signups? How do we decide if someone must leave? How do we change who gets to decide the above? Communicate this to the Perl NOC folks
- @stigtsp – Applications to internal lists are coming in.
- @stigtsp puts together draft rules.
- @sjn wants to add joining instructions to the charter under the “how to join” heading.
- @sjn (or @book, if he can come) – HTTPS/TLS-out-of-the-box project for perl5.42. PSC mentioned @leont may want to lead the project as a CPANSec thing? (need confirmation)
- We’ll also need to decide who is our single point of contact to PSC.
- can we manage a review of options
- if so, add a project under our GitHub
- is there grant money to fund something like this?
- PSC wants to have suggestions by September
- Long term commitment/fail graceful implementation required
- Official commitment CPANSec is confirmed.
- @BooK takes the project management job, with commitment to complete the whole project by PSC’s deadline
- @leont maps out implementation options
- Progress reports during bi-weekly meetings
- @stigtsp – securing cpanm has slow progress
- @tux - Test::CVE
- docs improvements / illustrations in progress
Upcoming events and deadlines
- @sjn – TPRF community representatives meeting Friday May 17th @ 17:30 UTC
- Open Source Summit Europe, Vienna – September 16-20, 2024
- Nordic Software Security Summit, Stockholm – September 23-24, 2024
- London Perl and Raku Workshop 2024 – Saturday 26th October 2024
- German STF funding accepting applications “in the second quarter of 2024”.
Elect next meeting chair and secretary
- Chair: @oalders
- Secretary: @sjn
Next meeting date, time and location
- Next meeting is June 5th @ 16:00 UTC on TPRF Slack #cpan-security channel
18:00 UTC – Meeting end
18:30 UTC – End