Meeting details
- 2024-11-27 17:00 UTC on #cpansec-discussion on Matrix
15:30 UTC – Pre-meeting socializing
- Socializing & getting up to speed before the meeting starts properly
- Discuss organizing projects, swimlanes and issues (…)
16:00 UTC – Meeting start
Welcome
- @thibaultduponchelle joined :)
- Meeting chair: @timlegge
- Meeting secretary: @sjn & @tux
Attendees, absents & regrets
- Attendees
- @sjn, @stigtsp, @tux, @timlegge, @garu, @robrwo
- Regrets
- @thibaultduponchelle (joined later), @leont
Approve previous meeting minutes
- Previous meeting minutes was approved @timlegge, @thibaultduponchelle merged by @sjn
Mailing List
- @stigstp - Discuss recent issues with our mailing lists being public instead of being private
- @stigtsp - presented taken actions and open issues
- @sjn - taken decisions should be properly communicated - @stigtsp will start a writeup, @sjn will review
- means of advertising will be discussed in the upcomming days
Quick summary of current work (Grouped by project)
- CPAN Metadata & Software Bills of Materials
- CPAN Privacy and Compliance
- CPAN Provenance & Supply Chain Security
- CPAN Security Outreach & Information
- New and existing documentation being discussed in relation to open subjects
- CPAN Security Patch Tooling
- CPAN Software Composition Analysis
- CPAN Transparency Logs
- CPAN Vulnerability Index
- CPANSec Governance, Policy & Funding
- CPAN Secure by Default
- CPAN Software Composition Analysis
TLS/HTTPS/CSPRNG/DSA in core
- @leont implemented BearSSL and is now fighting IO::Socket::SSL. @BooK & @leont are not present to explain
German Sovereign Tech fund
- @sjn - no work done; @garu’s personal application was rejected: more feedback on why would be welcome
- @sjn gives more background information and mentions @stuart’s work
Ongoing vulnerabilities
- @stigtsp - No movement around Mojo’s secure token/secrets issues; Volunteers needed
- @stigtsp - One more vuln known, needs a volunteer; @timlegge may take a look
CPAN Author’s Security Policy Template/Guidelines
- @robrwo - working on initial draft - review required
- @sjn mentions already written documents - maybe merge or restructure
- new ideas are tossed and proposed by @stigtsp
- @sjn - issue of setting up security email aliases for dists that go to authors + CPAN sec. May be a good topic for PTS
Eclipse ORC WG
- @sjn - Workshop planned in December in Amsterdam (spec Steward roles)
NIS2 consultation
- @sjn - Comments to chapter 5 (Supply chains) submitted together with OpenSSF, FSFE, NLnet Labs and GitHub
- This group is likely to have a meeting with ENISA in December
- @sjn - Chapter 3 (Incident response) and chapter 6 (Secure software development) comments being worked on.
- @abraxxa, @robrwo and some of the folks at Hackeriet have contributed
- @tux - Date is set to 2024-05-01 … 2024-05-04
CycloneDX 1.7 Sustainability fields
- @sjn - ongoing; currently working on a taxonomy of non-funding support. Currently slowish
POSIX::2008 vulnerabilities
- @stigtsp - Probably best to register a CVE
SBOM/Supply Chain
- @sjn - minor tweaks; working on connecting fields with metadata sources. First PR received
CNA Update
- @timlegge - Mitre confirmed receipt of the CNA request form and will be reviewed soon.
Recruitment
Other
- Discussion about a matrix of security-related items for CPAN releases
- @stigtsp Meeting with tib and Stian next week about Tibs research
- tib and @timlegge look into PAUSE pentesting
Upcoming events and deadlines
- FOSDEM Fringe 2025 - Friday January 31st, Brussels
- FOSDEM 2025 - February 1-2, Brussels - three relevant devrooms!
- PTS 2025 - Most likely date: first week of May
Operating changes
Next meeting date, time and location
- Next meeting is Wednesday 2024-12-11 @ 16:00UTC in #cpansec-discussion on Matrix (17:00 Europe/Amsterdam)
17:20 UTC – Meeting end
17:20 UTC – Post-meeting socializing end