CPAN Security Group

A forum for coordinating and help resolving security issues on CPAN. CVE Numbering Authority (CNA) for Perl and CPAN. Subscribe, contribute or join!

2 minute read

Funding

  • Funding targets
    • Org structure research, based requirements from OSS community, authorities and market needs.
    • Setup of Org, bylaws and guiding documents, etc.
    • Outreach and Information work
    • Business model development with goal of making Org economically sustainable
    • Gathering/recruitment of competent contributors
    • Project management
    • Coordination and interaction with EU commission, ENISA etc.
    • Active participation i OSS Steward expert groups & fora (e.g. DG CONNECT expert group; ORC WG; LF workstreams)
    • Networking across similar “CPAN-Shaped” Open Source ecosystems
    • Budgeting & planning
    • Other business and activities
  • Required and preferred sums, reporting, meeting frequency, etc.

NLNet Foundation & Apell.info

  • @markov - Ask if he can help with Steward funding

Steward Activities

OSS Steward

  • a legal person
    • (not Manufacturer) who
  • has the purpose or objective of
    • systematically providing support
      • on a sustained basis
    • for the development of
      • specific [OSS PDEs intended for commercial activities] and
    • that ensures the viability of those products

— (Article 24)

  • Provide (Article 25) Security attestations for
    • Article 13(5) Due diligence performed by Maintainers in cooperation with the Steward and the Manufacturers
  • Offer (Article 13(6)) contribution obligation fulfillment statements.
  • Put in place and document a cybersecurity policy (Article 15)
    • foster development of secure Products with Digital Elements
    • foster effective handling of vulnerabilities by the developers of that product
      • taking into account the specific nature of the open-source software steward
      • and the legal and organisational arrangements to which it is subject
    • foster voluntary reporting of vulnerabilities (Article 15) by the product developers
    • help document, address and remediate vulnerabilities
    • help promote the sharing of information concerning discovered vulnerabilities within OSS community
  • Cooperate with market surveillance authorities, at their request (Article 24)
    • mitigate cybersecurity risks posed by PDEs with OSS
  • Report on vulnerabilities & severe incidents to the extent they’re involved in the development of PDEs,
    • to designated CSIRTs/ENISA/users (Article 14(1), Article 14(3), Article 14(8))

Other activities

  • Notarizing BOMs
  • Automating BOM sharing, payment, access to attestations, etc.
  • Possible tasks
    • Confirm quality of metadata, packaging, contact points, distribution
    • Steward as co-maintainer?
  • Stewards offering a freelance job marketplace
  • Exposing the availability of transitive attestations, given the presence of one component

Arguments

  • Maintenance is not free
  • Due diligence requires attention from code owners
    • more attention for “full autopsies” than for “cursory sanity checks”
  • Countering notification fatigue among manufacturers with massive dependency graphs
  • Facilitate the application of Kerckhoffs’ principle (everything about a system should be public knowledge, except the keys) in the implementation and securing of business-critical digital infrastructure.

Documentation

  • Security Assessment Practices
  • Security Hygiene Recommendations
  • Pilot projects for applying recommendations

Questionnaire

Preparatory tasks

  • Needed: Policies around existing project lifecycle events

Organization

  • Corporation with a social purpose (“Akjseselskap med sosialt formål”)

TODO

  • Skatte-etaten kontaktskjema
    • “hjelpe oppstart”
    • rettsavd.: konsekvenser av cyber resilience act
  • Search: “Starte samvirkeforetak, vedtekter”
  • brreg “sektorkode”
  • samvirke i utgangspunkt inkomp. med non-profit (!)