|
| 1 | +--- |
| 2 | +layout: single |
| 3 | +toc: true |
| 4 | +meeting_time: 2026-02-19 16:00 UTC |
| 5 | +title: CPANSec bi-weekly minutes |
| 6 | +--- |
| 7 | + |
| 8 | +## Agenda |
| 9 | + |
| 10 | +- 2026-02-19 @ 16:00 UTC. |
| 11 | + |
| 12 | +## Attending |
| 13 | + |
| 14 | +- @sjn, @stigtsp, @robrwo, @timlegge |
| 15 | + |
| 16 | +- Regrets @leont |
| 17 | + |
| 18 | +## Minutes |
| 19 | + |
| 20 | +- @stigtsp |
| 21 | + - CVE workflow |
| 22 | + - working on alternative workflow tools for CVE based on YAML |
| 23 | + - easier to use than Vulnogram |
| 24 | + - possible bulk updates |
| 25 | + |
| 26 | + - @sjn @robrwo |
| 27 | + - questions about posting links to CVEs in Mastodon, BlueSky etc. |
| 28 | + - there is no RSS available for the CVE announcement list |
| 29 | + |
| 30 | + - @timlegge |
| 31 | + - a copy of published CVEs should be kept in a public git repo |
| 32 | + - this should be a file copy, not clone of CNA repo, with sanity checks to ensure CVEs public |
| 33 | + - but MITRE has a public git repo |
| 34 | + |
| 35 | + - @robrwo |
| 36 | + - working on CVE Workflow documentation |
| 37 | + - CVE "style guide" thaat could be incorporated into @stigtsp's cna tool |
| 38 | + |
| 39 | +- @timlegge |
| 40 | + - OpenSSF Vulnerability Disclosure WG |
| 41 | + - AI slop is leading to many groups getting rid of bug bounties |
| 42 | + - WG is working on best practices to deal with slop |
| 43 | + - WG working on a survey of maintainers |
| 44 | + - time that users spend on open source projects? |
| 45 | + - are they paid for working on open source? |
| 46 | + - can they deal with AI reports? |
| 47 | + |
| 48 | +- Discussions of vulnerabilties |
| 49 | + - Details omitted from agenda. |
| 50 | + |
| 51 | + - @sjn |
| 52 | + - suggested improving vulnerability disclosure process with time, phases and well-publiched steps. |
| 53 | + |
| 54 | + - @robrwo |
| 55 | + - experimental triage repo unused, should be deleted @stiptsp |
| 56 | + - give triage list members access to the CNA repo, and use that for issue tracking |
| 57 | + - create a kanban |
| 58 | + |
| 59 | +- @sjn |
| 60 | + - Perl Toolchain Summit (PTS) |
| 61 | + - focusing on EU Cyber Resiliance Act (CRA) steward organisation |
| 62 | + - need to decide what the org looks like and set it up so it can be formally created |
| 63 | + - CPANSec would be a member, but separate from the stweard org |
| 64 | + - hoping to get funding for a CPANSec room at PTS |
| 65 | + - we have to get the EU CRA to work for CPAN, we *have* to update the META spec to fully update the dependency graph. |
| 66 | + |
| 67 | +- @stigtsp |
| 68 | + - CPAN pURLs |
| 69 | + - spec does not support selector use case we need for CVEs (author/version constraints) |
| 70 | + - work in process |
| 71 | + |
| 72 | +- @sjn |
| 73 | + - TPRF Grant |
| 74 | + - @stiptsp |
| 75 | + - suggestion for sending message to the mailing list with a short budget |
| 76 | + - beginning of a decision-making process |
| 77 | + |
| 78 | +- @robrwo |
| 79 | + - we need tools for accessing community documentation (license, security policy, etc) |
| 80 | + - meta spec/tools for downloading and showing these documents |
| 81 | + - possible PTS project |
| 82 | + |
| 83 | +- @stigstp |
| 84 | + - demo of cna tool https://github.com/CPAN-Security/cna-tool |
0 commit comments