CPANSec bi-weekly minutes
- Agenda & Meeting Details 2025-04-23
- 15:43 UTC -Â Pre-meeting socializing
- 16:08 UTC - Meeting start
- Welcome
- Agenda
- Current matters
- Operating changes
- Metadata & Software Bills of Materials
- Compliance, Guidance & Standards
- Security Information & Outreach
- CNA & Vulnerability Index
- Secure by Default
- Organization, Governance & Funding
- Security Patch Tooling
- Authentication & Trusted Publishing
- Software Composition Analysis & Vulnerability Detection
- Transparency Logs & Trusted Distribution
- Any Other Business
- Next meeting date, time and location
- 17:19 UTC - Meeting end
- 17:19 UTC - End
Agenda & Meeting Details 2025-04-23
- 2025-04-23 16:00 UTC on #cpansec-discussion on Matrix
15:43 UTC -Â Pre-meeting socializing
- Socializing & getting up to speed before the meeting starts properly
- Discuss organizing projects, swimlanes and issues (…)
- Check and resolve technical (A/V) issues before the meeting starts
- Come as you are!
16:08 UTC - Meeting start
Welcome
- Meeting chair: @thibaultduponchelle
- Meeting scribe: @sjn, @tux
Attendees, absents & regrets
- Attendees
- @thibaultduponchelle, @leont, @sjn, @tux, @stigtsp
- Regrets
- @timlegge, @robrwo
Approve previous meeting minutes
- Previous meeting minutes PR was approved by @thibaultduponchelle, @timlegge and @robrwo, and merged by @sjn
Agenda
Current matters
CPAN Testers
- @tux - CPAN Testers work happening at PTS; We should contribute!
- e.g. ask if CPAN Testers can add results of Test::CVE
XML::LibXML
- @tux XML::LibXML touches CVE issues in Alien
Operating changes
- @sjn - Proposal: Add RSS feeds to the matrix channel? Suggestions for channel admins:
- Mastodon feed: https://fosstodon.org/@cpansec.rss
- News feed: https://security.metacpan.org/feed.xml
- CVE announcements feed: @stigtsp - can be done as part of an automated CVE announcement process
- CVE updates feed: Can hook right into the CVE.org database maybe
- @stigtsp - good idea!
Metadata & Software Bills of Materials
CPAN::Meta::Spec, Requirements and PURLs
- @sjn - picking up CPAN::Meta::Spec after FOSDEM
- Done! Details added to OP on https://github.com/Perl-Toolchain-Gang/CPAN-Meta/issues/137
- Topic also added to PTS list of projects/talks
CycloneDX 1.7 Sustainability fields
- @sjn - Ongoing: project- & ecosystem-supplied status fields.
- @sjn - Proposed moving this to ECMA TG54 as the “Dugnad Specification” project
Compliance, Guidance & Standards
CPAN Author’s Security Policy Guidelines
- @stigtsp - Minimal (TLDR) version of policy wanted
- @tux - Team document template wanted; Help needed
- @timlegge has started on something; happy to discuss with @tux; PR in the works
- @robrwo - not so much a different kind of doc as possible different way to report vuln
- @sjn - Alternative documents needed for non-Europeans (requested by jnap)
- @sjn - can help with a CRA perspective
- @sjn - ORC WG FAQ may help
- @robrwo - this may be misunderstanding of the purpose of the document
- @robrwo - the doc is best practice not specific to countries etc.
- @robrwo mini-project to encourage the popular modules to add a security policy
- See https://metacpan.org/favorite/leaderboard for a list
- Sounds like a good idea
- security.md, sbom and valid cpanfile, cpansa and busfactor, cpan.org email
- cpants has experimental support
- look into “update your cpan module” month (ref @tux’s checklist)
- @robrwo interpreted this as a “security checklist” which is a bit too broad in scope, and overlaps with secure coding guidelines was thinking of a trimmed down metadata/config/documentation security checklist
- @robrwo contacts manwar to see if he’d like to help with outreach
- @robrwo updated guidelines
- license for template/excerpts to 0BSD
Security Information & Outreach
- [ ]Â @robrwo suggesting a regular blog series
- blog posts smaller scope than monolithic documents/guides
- different authors and topics including current news items
- regular posts can get more attention
- @thibaultduponchelle - let’s make it easier to post
- @sjn - let’s add a new channel for smaller/faster blog posts that have lower PR quality requirements
Recruitment
- @thibaultduponchelle - inviting @jjatria to join
Perl Toolchain Summit 2025
- @sjn - Create document on what CPANSec-relevant issues need to be decided on/discussed at PTS
- @sjn - Everyone, please add tasks to the PTS wiki Projects page!
- @stigtsp and @tux - Better tooling for CNA CVE
- @stigtsp and @timlegge - Intro to CNA CVE (onboarding?)
- @stigtsp - Show CVEs on MetaCPAN
- @stigtsp (+@timlegge, +@garu) - Help with perlsecpolicy
- @stigtsp - Talk about “CVE?”
- ? - Show security policies on MetaCPAN
- @stigtsp and @tux - Better feed for Test::CVE and friends
- @sjn - CPAN::Meta update
- Complete the dependency graph
- Allow linking to SBOM documents that are passed along the distro
- Discuss which new required metadata fields need to go into the CPAN::Meta::Spec, and which should go into SBOMs
- metadata for vulnerability reporting (email or url)
- @sjn - Open discussion: CPANSec as an OSS Steward
- Present purpose and regulatory requirements
- Discuss and decide on community aligned principles to be enshrined in the Charter
- Who are possible founding stakeholder groups?
- @tux - DBI on how to use tooling to improve security there
- @tux - discuss errors from gcc-14 (-Wno-error=…) and gcc15 (C23)
- @thibaultduponchelle and @tux - Test::Smoke - Deprecate PerlIO/Stdio dual testing; Add patching facilities during smoke
- @thibaultduponchelle - PAUSE - Review the operating model
- @thibaultduponchelle - CPANSec - Maybe some CPAN installer patch tooling discussion and implementation (but limit to a POC); Maybe some PAUSE pentesting?
- @sjn and @tux - create an SBOM from Perl’s Configure
- @sjn whatever else people needs him for. :-)
New Guide needed: PackageURL
- @sjn - We need a comprehensive PackageURL guide that answers/covers all relevant use cases
- Non-perl project uses perl executable provided by packaging system // plenv // build-perl // ActiveState // etc.
- Non-perl project uses a tool provided on CPAN
- Non-perl project uses a vendored/included tool written in Perl
- Perl project not on CPAN uses a CPAN module found on CPAN
- Perl project found on CPAN uses a CPAN module found on CPAN
- Perl project not found on CPAN uses a CPAN module not found on CPAN, but a DarkPAN
- etc.
- @sjn - No progress
CNA & Vulnerability Index
CNA Organization
- @stigtsp, @timlegge - Presentation of CNA work so far
- @stigtsp - 8 CVE identifiers reserved, and 14 published in our database, per now
- @stigtsp - We need more help from others in the triage group:
- Contact @timlegge, @stigtsp - Analysing vulnerabilities
- Contact @timlegge, @stigtsp - Integrating CVE process more with triage
- @robrwo - CNA/CPANSec workflow description needed from CVE reservation to disclosure
- (Volunteer needed) - Write a guide/workflow doc, including details on how embargos work
- @stigtsp - guided CVE writeup-sessions at PTS and at regular times otherwise
- @stigtsp and @timlegge prepare a dummy scenario
Secure by Default
TLS/HTTPS/CSPRNG/DSA in core
- @leont - share ongoings & blockers
- @leont - Lets leave till after PTS
Ongoing vulnerabilities
Organization, Governance & Funding
Funding drive
- @sjn - who is open (or willing to commit) to do funded work? (e.g. X days per week)
- @stigtsp 1d/w
- @robrwo 0d/w
- @leont (? - please contact @sjn)
- @garu (? - please contact @sjn)
- Others? (contact @sjn!)
- @sjn - Explore options with Ovid’s company
- @sjn - Talk with prospective companies to look for opportunities
- @sjn - Organize fundraiser’s coordinator meeting w/Olaf & Stuart (delayed)
- @sjn - Investigate pre-project funding chances with NUUG foundation
- @sjn - New project overview in the works: https://cryptpad.fr/sheet/#/2/sheet/edit/vazHpOmoK6bM-qKo7WRpzq6U/
Eclipse ORC WG
- @sjn - Misc. ongoing activities
CPAN Steward org
- @sjn - Discussions on TPRF slack #cpansec-steward; Mostly @sjn making noise;
- Contributors who care about governance needed; Please reach out to @sjn
Security Patch Tooling
- not discussed
Authentication & Trusted Publishing
- (Volunteers/tuits/funding needed - this topic is available for adoption!)
Software Composition Analysis & Vulnerability Detection
- (Volunteers/tuits/funding needed - this topic is available for adoption!)
- We decided to close this project;
Transparency Logs & Trusted Distribution
- (Volunteers/tuits/funding needed - this topic is available for adoption!)
Any Other Business
- @stigtsp - Can someone look at the cpansa-feed, it’s broken for a while now :-(
- (Volunteers needed) This is important.
- (We hear some people are looking into this)
- (Volunteers needed) This is important.
- @robrwo methods for notifying multiple maintainers of security issues as part of Perl ecosystem (RT or some kind of cpan.org mailing list)
Upcoming events and deadlines
- (Sweden) FOSS North - Monday 2025-04-14 … Tuesday 2025-04-15 in Gothenburg, Sweden
- @sjn participated; lots of good conversations; Found people involved in the “security insights spec”, potential contributers to the Steward bylaws, and much more.
- (Germany) PTS 2025 - Thursday 2025-05-01 … Sunday 2025-05-04 in Leipzig, Germany
- @tux, @stigtsp, @leont, @garu, @sjn, @thibaultduponcelle, @timlegge are going
- (Germany) GPW 2025 - Monday 2025-05-12 … Wednesday 2025-05-14 in Munich, Germany. (CfP is open)
- @sjn is going, one talk submitted
- (Norway) Internet Governance Forum 2025 - Monday 2025-06-23 … Saturday 2025-06-28 in Lillestrøm, Norway; (Call for Sessions)
- @sjn may be going (TBD)
- (USA) TPRC 2025 - Friday 2025-06-27 … Sunday 2025-06-29 in Greenville, SC, USA (CfP is open; Deadline: 2025-03-15)
- (Croatia) EuroBSDCon 2025 - Thursday 2025-09-25 … Sunday 2025-09-28 in Zagreb, Croatia; (CfP is open; Deadline: 2025-06-21)
- (Belgium) OpenSSF EU Policy Summit - 2025-10-30, in Ghent, Belgium;
- (World) CPAN 30 year anniversary - Sunday 2025-10-26
Next meeting date, time and location
- Next meeting is Wednesday 2025-05-07 @ 16:00UTC in #cpansec-discussion on Matrix (18:00 Europe/Amsterdam)