| layout | toc | meeting_time | title |
|---|---|---|---|
page |
true |
2024-11-27 17:00 UTC |
Minutes 2024-11-27 |
- 2024-11-27 17:00 UTC on #cpansec-discussion on Matrix
- Socializing & getting up to speed before the meeting starts properly
- Discuss organizing projects, swimlanes and issues (...)
- @thibaultduponchelle joined :)
- Meeting chair: @timlegge
- Meeting secretary: @sjn & @tux
- Attendees
- @sjn, @stigtsp, @tux, @timlegge, @garu, @robrwo
- Regrets
- @thibaultduponchelle (joined later), @leont
- Previous meeting minutes was approved @timlegge, @thibaultduponchelle merged by @sjn
- @stigstp - Discuss recent issues with our mailing lists being public instead of being private
- @stigtsp - presented taken actions and open issues
- @sjn - taken decisions should be properly communicated - @stigtsp will start a writeup, @sjn will review
- means of advertising will be discussed in the upcomming days
- CPAN Metadata & Software Bills of Materials
- …
- CPAN Privacy and Compliance
- …
- CPAN Provenance & Supply Chain Security
- …
- CPAN Security Outreach & Information
- New and existing documentation being discussed in relation to open subjects
- CPAN Security Patch Tooling
- …
- CPAN Software Composition Analysis
- …
- CPAN Transparency Logs
- …
- CPAN Vulnerability Index
- …
- CPANSec Governance, Policy & Funding
- …
- CPAN Secure by Default
- …
- CPAN Software Composition Analysis
- …
- @leont implemented BearSSL and is now fighting IO::Socket::SSL. @BooK & @leont are not present to explain
- @sjn - no work done; @garu's personal application was rejected: more feedback on why would be welcome
- @sjn gives more background information and mentions @stuart's work
- @stigtsp - No movement around Mojo's secure token/secrets issues; Volunteers needed
- @garu has plans
- @stigtsp - One more vuln known, needs a volunteer; @timlegge may take a look
- @robrwo - working on initial draft - review required
- @sjn mentions already written documents - maybe merge or restructure
- new ideas are tossed and proposed by @stigtsp
- @sjn - issue of setting up security email aliases for dists that go to authors + CPAN sec. May be a good topic for PTS
- @sjn - Workshop planned in December in Amsterdam (spec Steward roles)
- @sjn - Comments to chapter 5 (Supply chains) submitted together with OpenSSF, FSFE, NLnet Labs and GitHub
- This group is likely to have a meeting with ENISA in December
- @sjn - Chapter 3 (Incident response) and chapter 6 (Secure software development) comments being worked on.
- @abraxxa, @robrwo and some of the folks at Hackeriet have contributed
- @tux - Date is set to 2024-05-01 … 2024-05-04
- @sjn - ongoing; currently working on a taxonomy of non-funding support. Currently slowish
- @sjn - No news
- @stigtsp - Probably best to register a CVE
- @sjn - minor tweaks; working on connecting fields with metadata sources. First PR received
- @timlegge - Mitre confirmed receipt of the CNA request form and will be reviewed soon.
- Nothing to report
- Discussion about a matrix of security-related items for CPAN releases
- @stigtsp Meeting with tib and Stian next week about Tibs research
- tib and @timlegge look into PAUSE pentesting
- FOSDEM Fringe 2025 - Friday January 31st, Brussels
- Related: EU Open Source Week
- FOSDEM 2025 - February 1-2, Brussels - three relevant devrooms!
- PTS 2025 - Most likely date: first week of May
- None
- Next meeting is Wednesday 2024-12-11 @ 16:00UTC in #cpansec-discussion on Matrix (17:00 Europe/Amsterdam)