Minutes 2025-02-19
- Meeting Details
- 16:30 UTC – Pre-meeting socializing
- 17:05 UTC – Meeting start
- Welcome
- Attendees, absents & regrets
- Approve previous meeting minutes
- Quick summary of current work (Grouped by project)
- TLS/HTTPS/CSPRNG/DSA in core
- Funding drive
- Ongoing vulnerabilities
- Author guide to generating random values for security
- CPAN Author’s Security Policy Guidelines
- CPAN Meta Spec, Requirements and PURLs
- NIS2 consultation
- Eclipse ORC WG
- CycloneDX 1.7 Sustainability fields
- SBOM/Supply Chain
- CPAN Steward org
- CNA Update
- Recruitment
- Perl Toolchain Summit 2025
- Other
- Upcoming events and deadlines
- Operating changes
- Next meeting date, time and location
- 18:14 UTC – Meeting end
- 18:15 UTC – End
Meeting Details
- 2025-02-19 17:00 UTC on #cpansec-discussion on Matrix
16:30 UTC – Pre-meeting socializing
- Socializing & getting up to speed before the meeting starts properly
- Discuss organizing projects, swimlanes and issues (…)
17:05 UTC – Meeting start
Welcome
- Meeting chair: @timlegge
- Meeting scribe: @sjn
Attendees, absents & regrets
- Attendees
- @sjn, @leont, @thibaultduponchelle, @stigtsp, @timlegge
- Regrets
- @tux, @robrwo
Approve previous meeting minutes
- Previous meeting minutes was approved by @timlegge, @stigtsp, @leont and @thibaultduponchelle, and merged by @sjn
Quick summary of current work (Grouped by project)
- CPAN Metadata & Software Bills of Materials
- …
- CPAN Privacy and Compliance
- …
- CPAN Provenance & Supply Chain Security
- …
- CPAN Security Outreach & Information
- …
- CPAN Security Patch Tooling
- …
- CPAN Software Composition Analysis
- …
- CPAN Transparency Logs
- …
- CPAN CNA & Vulnerability Index
- …
- CPANSec Governance, Policy & Funding
- …
- CPAN Secure by Default
- …
- CPAN Software Composition Analysis
- …
TLS/HTTPS/CSPRNG/DSA in core
- @leont - no progress
Funding drive
- @sjn – who is open to do (funded) work? (contact @sjn)
- @stigtsp 1d/w
- @leont
- @sjn - Explore options with Ovid’s company
Ongoing vulnerabilities
- @timlegge - @robrwo working on RNG-related ongoing issues; CVE’s to be registered by CPANSec CNA when it’s active
- @timlegge - Crypt::Random release
- @timlegge - Crypt::Bcrypt issues around password length
Author guide to generating random values for security
- Crypt::SysRandom to be added, but fine to go
CPAN Author’s Security Policy Guidelines
- @stigtsp - Minimal (TLDR) version of policy wanted
- @tux - Team document template wanted; Help needed
- @leont - Dist::Zilla plugin created
CPAN Meta Spec, Requirements and PURLs
- @sjn - started on writing an overview of issues to be resolved before PTS
- @sjn - picking up CPAN::Meta::Spec after FOSDEM
- @sjn - need to push GDT’s update to spec
NIS2 consultation
- @sjn - new meeting 2025-02-18; ENISA appreciates the feedback
Eclipse ORC WG
CycloneDX 1.7 Sustainability fields
- @sjn - starting on the final stretch - project- & ecosystem-supplied status fields.
SBOM/Supply Chain
- @tux - we need tools for working with SBOMs. correct SBOMs.
- @thibaultduponcelle - wants some feedback on his starjacking text (good enough to merge or drop?)
- @sjn and @thibaultduponcelle - chat about this (set up meeting)
CPAN Steward org
- @sjn - Discussions on TPRF slack #cpansec-steward; Mostly @sjn making noise; Contributors needed.
- @elbeho and @markov invited; @markov shared lots of good insights
- @sjn met also w/others in his environment, and that care about Open Source-friendly project ownership structures & bylaws
- General invite sent out on Mastodon
- Forum for discussing this has been set up on the TPRF slack: #cpansec-steward; please reach out if you need invites!
- should we set up a separate project for this, or use Governance/Policy/Funding? - no
- @sjn has been asked by BSI and FSFE to help with perspectives and questions for a questionnaire. Discussions around this happens in #cpansec-steward on the TPRF Slack
CNA Update
- @timlegge - CNA disclosure published thanks to @sjn’s help
- @sjn - Should CPANSec follow the Node community’s example of issuing CVEs for EOL-versions of Perl? - not discussed
- @stigtsp - updates from MITRE to be announced
- @timlegge - contact DAVEM, TONYC
Recruitment
- @sjn - look at the next events for opportunities
Perl Toolchain Summit 2025
- @sjn - Create document on what CPANSec-relevant issues need to be decided on/discussed at PTS
Other
- @stigtsp - CVE portal setup
- @stigtsp - domain name; we’re using metacpan.org branding, but also own the cpansec.org domain. What to do with this?
Upcoming events and deadlines
- (Belgium) FOSDEM Fringe 2025 - Friday January 31st, Brussels
- (Belgium) FOSDEM 2025 - 2025-02-(01-02), Brussels - three relevant devrooms!
- (Germany) PTS 2025 - Thursday 2025-05-01 … Sunday 2025-05-04 in Leipzig, Germany
- (Germany) GPW 2025 - Monday 2025-05-12 … Wednesday 2025-05-14 in Munich, Germany. (CfP is open)
- (USA) TPRC 2025 - Friday 2025-06-27 … Sunday 2025-06-29 in Greenville, SC, USA (CfP is open; Deadline: 2025-03-15)
- (Norway) Sikkerhetfesivalen 2025 - Monday 2025-08-25 … Wednesday 2025-08-27 in Lillehammer, Norway. (CfP is open; Deadline: 2025-03-03)
Operating changes
- @sjn - Published the CPANSec meeting calendar on Google, via our perl.social Friendica account calendar. This calendar is public! Reach out to @sjn to get access to update it.
- perl.social seems a bit unreliable :-( - maybe use another shared calendar solution? (e.g. cryptpad?)
Next meeting date, time and location
- Next meeting is Wednesday 2025-03-12 @ 17:00UTC in #cpansec-discussion on Matrix (17:00 Europe/Amsterdam)