The Security WG has a recurring virtual meeting once every four weeks. Meeting minutes and the time and date of the next meeting will be published in this thread.
Meetings are open to EEF members: the meeting link is published to the #security
channel on EEF Slack one hour prior to each meeting.
3 Likes
April 3, 2024
Participants: Holden Oullette, @maennchen , @max-au , Paul Swartz, @peerst , @voltone
Bandit
Ongoing (Holden)
Try to add to automated test suite for web servers
Code review of three handlers (HTTP 2.0, HTTP 1.1 and Websocket)
GitHub org 2FA
Needs some preparation, to avoid locking out users without 2FA
Send out email, and heads-up in Slack (@max-au )
OCSP stapling client
OIDC client
Positioning Erlang ecosystem as “secure”
See Whitehouse paper on memory safe languages
Counter FUD
Collaborate on a doc, targeting blog post or white paper
To be shared with Marketing WG for distribution
Supply chain, SBoM of OTP
EU funded project (@peerst )
SBoM tooling upgrades
Meeting notes
Should be publish to Erlang Forums
Next meeting
2nd May 2024 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST
5 Likes
Small Correction: it’s FAPI 2.0.
Spec: FAPI 2.0 Security Profile
2 Likes
max-au
April 17, 2024, 2:59am
4
voltone:
GitHub org 2FA
This is now enforced, all erlef
repo members must have 2FA enabled. Please ping me or infra@
if you are accidentally locked out.
3 Likes
May 1, 2024
(Oops, sorry: previous notes erroneously said the next meeting would be on May 2nd)
Participants: @maennchen , @max-au , Paul Swartz, @varnerac , @voltone
OIDC Client: FAPI compliance
Implementation done
Conformance test passed
Stipend requested for certification
Vulnerability Disclosure Guide proposal
ICANN funding
Checking to see if EEF can apply for funding
Considering submitting a proposal around SCITT
Question: is it not too early, considering work on the spec is still in progress?
Reminder: supply chain work should also consider Erlang/OTP itself
SAFE disclosures
Several vulnerabilities in commonly used packages
Disclosure planned for mid-May
Role for EEF SecWG?
After disclosure, review how community handled it
Check if there is a need to improve processes, tooling, etc.
EEF SecWG GH repo
Lots of outdated issues and PRs
Have a look in coming weeks
Review status during next call
Hex “Trusted Publishers” proposal
Stipend is ready
Hex team is positive about the proposal
Check with Holden about someone who might pick up the work
Hex vulnerability sync
Informal proposal discussed with Hex team
Automatically retire packages with known vulnerabilities
Question: are “retired” and “mentioned in a vulnerability report” not two orthogonal things?
Revisit after “Trusted Publishers” collaboration with Hex team
OCSP stapling
Next meeting
Wed 29 May 2024 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST
4 Likes