Minutes 2025-01-22
- Agenda & Meeting Details
- 15:30 UTC – Pre-meeting socializing
- 16:05 UTC – Meeting start
- Welcome
- Attendees, absents & regrets
- Approve previous meeting minutes
- Quick summary of current work (Grouped by project)
- TLS/HTTPS/CSPRNG/DSA in core
- Funding drive
- Ongoing vulnerabilities
- Author guide to generating random values for security
- CPAN Author’s Security Policy Guidelines
- CPAN Meta Spec, Requirements and PURLs
- NIS2 consultation
- Eclipse ORC WG
- CycloneDX 1.7 Sustainability fields
- SBOM/Supply Chain
- CPAN Steward org
- CNA Update
- Recruitment
- Perl Toolchain Summit 2025
- Testing & Kwalitee?
- Other
- Upcoming events and deadlines
- Operating changes
- Next meeting date, time and location
- 16:59 UTC – Meeting end
- 17:00 UTC – End
Agenda & Meeting Details
- 2025-01-22 16:00 UTC on #cpansec-discussion on Matrix
15:30 UTC – Pre-meeting socializing
- Socializing & getting up to speed before the meeting starts properly
- Discuss organizing projects, swimlanes and issues (…)
16:05 UTC – Meeting start
Welcome
- Meeting chair: @timlegge
- Meeting scribe: @sjn
Attendees, absents & regrets
- Attendees
- @sjn, @timlegge, @tux, @stigtsp
- Regrets
- @thibaultduponchelle, @robrwo
Approve previous meeting minutes
- Previous meeting minutes was approved by @timlegge and @robrwo, and merged by @sjn
Quick summary of current work (Grouped by project)
,
- CPAN Metadata & Software Bills of Materials
- …
- CPAN Privacy and Compliance
- …
- CPAN Provenance & Supply Chain Security
- …
- CPAN Security Outreach & Information
- …
- CPAN Security Patch Tooling
- …
- CPAN Software Composition Analysis
- …
- CPAN Transparency Logs
- …
- CPAN Vulnerability Index
- …
- CPANSec Governance, Policy & Funding
- …
- CPAN Secure by Default
- …
- CPAN Software Composition Analysis
- …
TLS/HTTPS/CSPRNG/DSA in core
- No real news. From the PSC minutes: “We briefly touched on feedback on our preliminary plan for TLS in core, suggesting that an even simpler approach may be possible. We will pick this back up in a future call.”
Funding drive
- @sjn will work on that after FOSDEM - will need to know who is open to do (funded) work
- @stigtsp 1d/w
- Explore options with Ovid’s company
- @sjn is contact point with regard to funding
Ongoing vulnerabilities
- @timlegge - @robrwo working on RNG-related ongoing issues; CVE’s to be registered by CPANSec CNA when it’s active
Author guide to generating random values for security
- @tux - is a separate version needed for generating passwords? Related? Subsection? (Creating, Storing)
- We’ll see how the random-data-for-security.md doc evolves, and adopt
- Expand on the curated lists of modules with both positive and negative recommendations
CPAN Author’s Security Policy Guidelines
- @timlegge - @leont’s Dist::Zilla plugin in the works
- @stigtsp - Minimal (TLDR) version of policy wanted
- @tux - Team document template wanted; Help needed
CPAN Meta Spec, Requirements and PURLs
- @sjn - picking up CPAN::Meta::Spec after FOSDEM
- @stigtsp - PURLs add to CVEs
NIS2 consultation
- @sjn - meeting with ENISA scheduled next week
Eclipse ORC WG
- @sjn - preparations for workshop Jan 30th in Brussels
CycloneDX 1.7 Sustainability fields
- @sjn - Meeting with @simbabque to prepare addition of mental health fields to spec
SBOM/Supply Chain
- @sjn - currently preparing FOSDEM SBOM devroom talk about this
- @tux - we need tools for working with SBOMs. correct SBOMs.
CPAN Steward org
- @sjn - had a meeting with @leont; started the process for setting up a WG on TPRF.
- No progress yet.
CNA Update
- @stigtsp and @timlegge have “finished” most of the homework and will submit this week
- @timlegge - Need to take https://github.com/CPAN-Security/security.metacpan.org/blob/main/docs/cna-disclosure-policy.md out of draft
Recruitment
- @sjn - CPANSec stickers for FOSDEM done, ordered and received!
Perl Toolchain Summit 2025
- @tux - Topic ideas are already being discussed in #pts on irc.perl.org.
- Looks like one hot topic will be CPAN Testers, which is currently very broken
- @tux - 3rd-wave voting ends 2025-01-31
- @sjn - Create document on what issues need to be decided on/discussed at PTS
Testing & Kwalitee?
- @tux - This is a topic to discuss in the next many meetings
Other
- @sjn - IRC notifications working again; Please give feedback on usability/noise
- @tux - contacted author of Kwalitee w.r.t.
SECURITY.md,CONTRIBUTING.md: all are added to website - @tux - promised to start on
CVE.SKIPlike support in Test::CVE, but nothing happened yet - @sjn - LF/OpenSSF survey about cybersecurity awareness around CRA. Please participate: https://www.research.net/r/MRB33VK
Upcoming events and deadlines
- FOSDEM Fringe 2025 - Friday January 31st, Brussels
- Related: EU Open Source Week
- FOSDEM 2025 - 2025-02-(01-02), Brussels - three relevant devrooms!
- PTS 2025 - Thursday 2025-05-01 … Sunday 2025-05-04 in Leipzig, Germany
- gpw2025 - 2025-05-(12-14) in Munich, Germany.
- TPRC in North America - should any of us propose a talk?
Operating changes
- (none)
Next meeting date, time and location
- Next meeting is Wednesday 2025-02-05 @ 16:00UTC in #cpansec-discussion on Matrix (17:00 Europe/Amsterdam)