Minutes 2024-07-18
- Meeting time & place
- Attendees
- Regrets
- Absents
- Topics
- Introduction to Stuart
- Use something else than Slack for meetings
- CPANminus
- CNA process is initiated with Mitre
- TLS/HTTPS in core
- German Sovereign Tech fund is open for applications
- Secure by Default
- Eclipse ORC WG
- CycloneDX 1.7 Sustainability fields
- CPAN Meta Requirements and PURLs
- POSIX::2008 vulnerabilities
- SBOM/Supply Chain
- Upcoming Events
- Other topics
- Next meeting
Meeting time & place
Thu 2024-07-18 17:00 UTC @ #cpansec-discussion on matrix.org
Attendees
- @sjn
- @timlegge
- @Tux
- Stuart
- @leont
Regrets
- @stigtsp
- @book
- @garu
Absents
Topics
Introduction to Stuart
- What/Who are we
- What is out scope
- Working groups
- Work in progress
Use something else than Slack for meetings
- Any issues continuing to use Element/[Matrix], which uses Jitsi.
- This was the second meet on Element/[Matrix]/Jitsi, and it worked very well
CPANminus
No updates
CNA process is initiated with Mitre
- @timlegge has written up an initial CNA disclosure but it needs more work - hopefully this week
TLS/HTTPS in core
- Options documented
- Currently only OpenSSL
- Should have more SSL back-ends
- licensing is a concern - may need someone familiar with licensing to discuss
- @sjn will reach out to some legal
German Sovereign Tech fund is open for applications
- A meeting occurred
- Spreadsheet setup as a WIP
- Olaf is looking at some things as well
- OpenSSF fund specific for internet infrastructure
- Level of funding and things to push it forward looking at a 500K ask
- Initial funding is an evaluation activity
- Stuart has drafted an application in the past for the Sovereign tech fund - needs to be specific to meeting their goals -
- About 2B$ available in Europe for open source
- CPAN admins are the worlds experts on this area
- @sjn needs some assistance on the importance of the tasks and the “boringness” of the items
Secure by Default
- No progress/updates
Eclipse ORC WG
- @sjn – Attended CRA Intro meeting. Will share video recording once it’s published
- WG is focused on the impact of EU standards and processes on Open Source
- Currently Perl foundation is not a member
CycloneDX 1.7 Sustainability fields
- @sjn – No progress
CPAN Meta Requirements and PURLs
- @sjn – No progress
POSIX::2008 vulnerabilities
- No news
SBOM/Supply Chain
- @sjn – Added a simplified SC graph that includes a OSS Steward role. Worked also on simplifying and cleaning up errors
- Clean ups
- It needs some reading from the community - especially CPANSec
- Some role specific guidance would help as well as simplification of the documentation
- @garu also wants to work on modules to do SBOM
- @ovid’s SBOM CycloneDX parser is still out there
Upcoming Events
Outreach is important and needs to continue
- PostgreSQL Lowlands 2024 NL - Fri 13 Sep 2024
- Open Source Summit Europe in Vienna, Austria - September 16-18 + 19-20 - Lots of people from OpenSSF + SBOM + Supply chain security communities
- London Perl Workshop - Saturday 26th October 2024 - possible talk opportunities
Other topics
Next meeting
- Aug 1, 2024 at 17:00 UTC, #cpansec-discussion on matrix.org