layout |
---|
page |
Meeting was on Saturday February 10th 2024, at 15:00 UTC, on the TPRF Slack server, in the #cpan-security channel.
- Attendees
- @oalders, @tux, @timlegge, @leont, @stigtsp, @sjn
- Regrets
- @hydahy, @tinita
- CPAN Metatata & Software Bills of Materials
- @tux – Create a guide with advice on what to do when they learn they have a vulnerability.
- @sjn – Reported from FOSDEM and a FOSDEM Fringe SBOM workshop he attended.
- CPAN Privacy and Compliance
- CPAN Provenance & Supply Chain Security
- CPAN Security Outreach & Information
- CPAN Security Patch Tooling
- CPAN Software Composition Analysis
- CPAN Transparency Logs
- CPAN Vulnerability Index
- @stigtsp – Reported on his conversation with Mickey. Work on exposing CVE data on MetaCPAN is ongoing. An API endpoint is already up (created at PTS 2023).
- @stigtsp – Github actions not available not for converting CPAN::Audit vulns to @garu's new format; Looking for alternatives
- @stigtsp – Registering CVE identifiers for older unpublished vulnerabilities, to communicate security updates that may haven't been applied downstream
- CPANSec Governance, Policy & Funding
- @sjn – TPRF is looking for someone to lead the application project. @sjn and @oalders have been contacted.
- @stigtsp – libwww-perl DoS vuln probably not in scope, we recommend making it public.
- Change of name: CPAN Security Group (short: CPANSec) – 2 voted in favor, 4 abstained
- TPRF Community Representatives meeting 2023-02-16 @ 17:30 UTC on TPRF Slack
- PTS 2024 (April 25-28 2024 in Lisbon, Portugal, organized by @garu, @book, @elbeho and @neilb)
- German Sovereign Tech Fund, Application deadline in Q2 2024
- Time: Feb 24th 2024, at 15:00 UTC on TPRF Slack
- Organizer: @oalders
- Secretary: @timlegge