CPAN Security Group

A forum for coordinating and help resolving security issues on CPAN. CVE Numbering Authority (CNA) for Perl and CPAN. Subscribe, contribute or join!

2 minute read

Meeting time and place

2024-07-03 17:00 UTC @ TPRF Slack #cpan-security channel

Attendees

  1. @sjn
  2. @stigtsp
  3. @timlegge
  4. @book
  5. @Tux
  6. @garu

Regrets

  1. @leont

Not attending

Topics

Use something else than Slack for meetings

  • Something with better audio quality
  • That doesn’t require invites/sign-in

This meeting was done in Element/[Matrix], which uses Jitsi. Went well.

CPANminus

  1. We have sent PRs to master and development
  2. An independent PR has been sent into the official perl-docker image.
  3. Trying to push for use of the new patched version
  4. Some argument about whether to accept into the docker images.
  5. @Tux mentioned the fallback is needed - an environment variable would suffice

CNA process is initiated with Mitre

  1. @timlegge: Mitre finally got back to me and has some information they need as well as scheduling a meeting with them to discuss
  2. @timlegge Stig and I are discussing
  3. We could use some additional help as we go further with a CNA Please reach out if you have time and an interest.

TLS/HTTPS in core

  1. @leont said “I did start working on that”, but hasn’t shared a document yet
  2. New PSC will likely support HTTPS in core - there will be a meeting between old and new and it will likely continue

German Sovereign Tech fund is open for applications

  1. @sjn suggests a poll of who can commit time to the work that could be started based on an application
  2. Peter will help post US Perl conference
  3. We need someone who can do project management.

Secure by Default

  1. @stigtsp and @garu are putting together a list
  2. Sigstore and TUF could/should be on the list

Eclipse ORC WG

  1. @sjn - goal is to give feed back on the EU standards and regulations
  2. Project has a technical lead
  3. TPRF is a foundation, and Perl NOC hosts code. In theory neither can join the organization - an org needs to both host and be a foundation/non-profit.

CycloneDX 1.7 Sustainability fields

  1. @sjn - talked to someone who is working in the sustainability of open source projects

CPAN Meta Requirements and PURLs

  1. @sjn - no update

POSIX::2008 vulnerabilities

  1. @stigtsp mentioned needing to look at registering CVE for that.

SBOM/Supply Chain

  • @sjn - has been sharing and still a WIP. The contents are in a good place at this time.
  • Please read and provide feedback if you can
  • Discussed at the OpenSSF numerous times

Upcoming Events

  1. The Perl and Raku Conference in Las Vegas, NV - June 24-28, 2024
  2. Open Source Summit Europe in Vienna, Austria - September 16-18 + 19-20 - Lots of people from OpenSSF + SBOM + Supply chain security communities
  3. London Perl Workshop - Saturday 26th October 2024 - possible talk opportunities

Other topics

  1. @Tux and @Tim worked on Crypt::OpenSSL::PKCS12
  2. @stigtsp how should a secure random module get moved to core? @garu explained the process for getting things moved into core - requests for comment, etc.

Next meeting

  1. July 18, 2024 at 17:00 UTC https://www.timeanddate.com/worldclock/converter.html?iso=20240718T170000&p1=1440&p2=1129&p3=136&p4=195&p5=16&p6=187&p7=233&p8=37&p9=250&p10=234&p11=256&p12=248