- Time: on {{ page.meeting_time | date_to_string: "ordinal", "US" }}, at {{ page.meeting_time | date: "%H:%M %Z" }}. ([Other timezones](https://www.timeanddate.com/worldclock/meetingdetails.html?{{ page.meeting_time | date: "year=%Y&month=%m&day=%d&hour=%H&min=%M&sec=0" }}&p1=187&p2=233&p3=250&p4=1129&p5=256); [iCal download](https://www.timeanddate.com/scripts/ics.php?type=meet&p1=187&p2=233&p3=250&p4=1129&p5=256&{{ page.meeting_time | date: "year=%Y&month=%m&day=%d&hour=%H&min=%M&sec=0" }}))
- Duration: 1 hour, timeboxed. We start 30min earlier for introductions/socializing.
- Location: On TPRF's Slack server, in #cpan-security, w/video.
- Meeting chair: @oalders
- Meeting secretary: @sjn
- Attendees
- @sjn
- @timlegge (left early)
- @stigtsp
- @oalders
- @petek (left early)
- Regrets
- Absents
-
Previous meeting minutes, up to and including 2024-03-13 was approved in PR#55 by @garu, @oalders and @sjn
-
These minutes to be approved in PR#56
- CPAN Metadata & Software Bills of Materials
- @sjn - Meeting with Steve Springett (OWASP/CycloneDX) next week, about @sjn's supply chain SBOM roles document
- @sjn - Started planning proposals for metadata changes + SBOM at PTS
- @sjn - To start SBOM intro presentation
- CPAN Privacy and Compliance
- CPAN Provenance & Supply Chain Security
- CPAN Security Outreach & Information
- @sjn - Update "how to report" page with contact info for PAUSE admins (ref. https://pause.perl.org/pause/query?ACTION=pause_04about#credits)
- @timlegge - Write a blog post about ongoing CVE registration efforts with @stigtsp
- CPAN Security Patch Tooling
- CPAN Software Composition Analysis
- CPAN Transparency Logs
- CPAN Vulnerability Index
- CPANSec Governance, Policy & Funding
- @sjn - Update charter to make user security issues with PAUSE out-of-scope, and refer these to [email protected]. If the PAUSE folks would like to invite us at some point, we can update the charter again.
- Information around recent PAUSE account compromises has been lacking, and which would be great to have improved.
- Review basic opsec on PAUSE systems, it needs to be up-to-speed before we consider working on TUF. RJBS is working on PAUSE-in-the-cloud.
- CPAN ecosystem trust is also at stake.
- @ingy contacts NEILB to see if we (CPANSec) can help somehow
- @stigtsp found some removed dists: https://github.com/batchpause/PAUSE-git/commit/32f55d453cef4abaed76ddcf454130569b342734
- @oalders, @timlegge, @leont and @sjn - Met on 2023-03-22 about budget that can be used for fundraising. Initial summary is at https://cryptpad.fr/code/#/2/code/edit/ot0NCG1yLcqELuwiqZ2tZD2l/
- @sjn - Update charter to make user security issues with PAUSE out-of-scope, and refer these to [email protected]. If the PAUSE folks would like to invite us at some point, we can update the charter again.
- Two ongoing vulnerabilities being resolved.
- None.
- PTS 2024-04-25 to 2024-04-28
- Chair: @oalders
- Secretary: @sjn
- Next meeting is April 10th 2024, 17:00 UTC in #cpan-security on TPRF Slack.