| layout | toc | meeting_time | title |
|---|---|---|---|
page |
true |
August 29th, 2024 16:00 UTC |
Minutes 2024-08-29 |
- August 29th, 2024 16:00 UTC on #cpansec-discussion on Matrix
- Meeting chair: @sjn
- Meeting secretary: All together
- Attendees
- @sjn, @timlegge, @stigtsp, @tux
- Previous meeting minutes was approved by @tux, @timlegge, @stigtsp
- @tux - released DBI. CVE updates might be needed upstream
- @tux - Ideas about distroprefs to be used for known CVE patches not integrated by maintainers: @tux will create a ticket and a short readme
- @stigtsp - cpanm (cpanminus) vuln is kind off finished now, major distributions are following up already
- @tux - Test::CVE is being used!
- @sjn - TPRF has changed their SoC, should we follow suit? Discuss & decide.
- Options are:
- To update the current ticket prior to the next meeting
- Vote at next meeting
- @stigtsp - need to do some considerations on this vs. CNA
- the CNA requires a public index of CVEs - some OSS projects use github for their index
- Neither @leont nor @book where present, so nothing to report
- @sjn - We need volunteers to deal with this; No movement forward
- @stigtsp - nothing public
- @stigtsp - some thinking ongoing
- @sjn - CPANSec BoF at LPW, with this on the agenda. Topic for exploration:
- Balance between security and backwards compatibility
- Deprecation of insecure services and tooling
- Funding
- @sjn - Formal start soon; FAQ gathering started
- @sjn - meeting w/EU Commission next week
- @sjn - CycloneDX Sustainability WG first meeting started.
- @sjn - Looking for anyone in the CPAN/Perl/Raku ecosystems who care about Sustainability - please reach out!
- @sjn - @sjn's personal notes are on the CPANSec website
- Started, first meeting was last week, another next week
- @sjn stopped by the chaoss
- @sjn - No progress on issue #40 due to lacking tuits
- @sjn - ECMA TC54-TG2 (Package URL) standardization work starting soon
- @sjn - Ongoing work
- @timlegge - only updated the CNA disclosure policy
- Disclosure https://cryptpad.fr/code/#/2/code/edit/w1A57hRtvBXHjLSLwWzDc4v9/
- Creating a CVE - https://cryptpad.fr/code/#/2/code/edit/qxOxnd6Tk9BS-w-eNMYYbpEj/
- @timlegge to move this information to the github
- missing some information on what to do when a CVE has been addressed
We're looking at issues in the different projects
- CPANSec Governance
- 4 issues moved to Stalled
- CPAN Vulnerability Index
- 1 issues moved to Stalled
- Supplychain Security
- @stigtsp - obvious problems have been prioritized. TUF and Sigstore issues are postponed
- CPAN Secure by Default
- Our part of the cpanm secure by default is done
We continue with this list next meeting!
- PostgreSQL Lowlands 2024 NL - Fri 13 Sep 2024 - @tux will join
- Open Source Summit Europe in Vienna, Austria - September 16-18 + 19-20 - Lots of people from OpenSSF + SBOM + Supply chain security communities - @sjn is going
- All Systems Go - Sept. 25-26th, Berlin
- London Perl Workshop - Saturday 26th October 2024 - @sjn got his talk accepted, @tux got his LT accepted
- Try finding ways to make it easier to attend the meetings (like not forgetting there is one)
- @timlegge will look at setting up a sharable calendar
- Skip electing next meeting chair/secretary from now on
### Elect next meeting chair and secretary
Chair: #TBDSecretary: #TBD
- Next meeting is 2024-09-12 (12th Sep) @ 17:00UTC (18:00 Amsterdam) in #cpansec-discussion on Matrix