Minutes

2024-06-05 16:00 UTC @ TPRF Slack #cpan-security channel

Attendees

  1. @sjn
  2. @stigtsp
  3. @timlegge
  4. @petek

CPANminus

  1. timlegge and stigtsp met to discuss the CNA and some CPANminus things
  2. stigtsp and garu CPANMinus discussions with the Docker folks for Perl to try to move to secure by default
  3. No update on the secure by default release of the cpanm
  4. Can we ask cpan.org to force redirect to https

OpenSSF

  1. sjn mentioned OpenSSF and recommended that we joins a couple of their groups
  2. working group for securing software repos
  3. Supply chain Security

CNA process is initiated with Mitre

  1. waiting on their reply.
  2. I expect that they will want to validate some items.
  3. looking at cve-request@perl.org as a request

TLS/HTTPS in core

  1. No update on the TLS/HTTPS in core and Leon was unable to attend.

German Sovereign Tech fund is opening in a week

  1. Should apply and see what happens
  2. Minimum is a 150K
  3. Try to apply for money for SSL/TLS in core funding
  4. Discussion of a vetted cpan module download site with attestation

Secure by Default

  1. Create a list of modules/dists that need/must to be fixed for CPAN to be “Secure by Default”