The Security WG has a recurring virtual meeting once every four weeks. Meeting minutes and the time and date of the next meeting will be published in this thread.

Meetings are open to EEF members: the meeting link is published to the #security channel on EEF Slack one hour prior to each meeting.

April 3, 2024

Participants: Holden Oullette, @maennchen, @max-au, Paul Swartz, @peerst, @voltone

Bandit

• Ongoing (Holden)
• Try to add to automated test suite for web servers
• Code review of three handlers (HTTP 2.0, HTTP 1.1 and Websocket)

GitHub org 2FA

• Needs some preparation, to avoid locking out users without 2FA
• Send out email, and heads-up in Slack (@max-au)

OCSP stapling client

• Several issues identified, reported: OCSP stapling interop issues · Issue #8242 · erlang/otp · GitHub

OIDC client

• Erlang Solutions audit:
  • Atom exhaustion vulnerability
  • Further analysis ongoing
• FAPI 2.0 Security Profile certification still pending

Positioning Erlang ecosystem as “secure”

• See Whitehouse paper on memory safe languages
• Counter FUD
• Collaborate on a doc, targeting blog post or white paper
  • To be shared with Marketing WG for distribution

Supply chain, SBoM of OTP

• EU funded project (@peerst)
• SBoM tooling upgrades

Meeting notes

• Should be publish to Erlang Forums

Next meeting

2nd May 2024 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST

Small Correction: it’s FAPI 2.0.

Spec: FAPI 2.0 Security Profile

This is now enforced, all erlef repo members must have 2FA enabled. Please ping me or infra@ if you are accidentally locked out.

May 1, 2024

(Oops, sorry: previous notes erroneously said the next meeting would be on May 2nd)

Participants: @maennchen, @max-au, Paul Swartz, @varnerac, @voltone

OIDC Client: FAPI compliance

• Implementation done
• Conformance test passed
• Stipend requested for certification

Vulnerability Disclosure Guide proposal

• Add Vulnerability Disclosure Guide by maennchen · Pull Request #41 · erlef/security-wg · GitHub
• Discussed role of EEF SecWG
  • We can help, but do not disclose vulnerabilities to the group before they are public
• Please review and comment on the PR

ICANN funding

• Checking to see if EEF can apply for funding
• Considering submitting a proposal around SCITT
• Question: is it not too early, considering work on the spec is still in progress?
• Reminder: supply chain work should also consider Erlang/OTP itself

SAFE disclosures

• Several vulnerabilities in commonly used packages
• Disclosure planned for mid-May
• Role for EEF SecWG?
  • After disclosure, review how community handled it
  • Check if there is a need to improve processes, tooling, etc.

EEF SecWG GH repo

• Lots of outdated issues and PRs
• Have a look in coming weeks
• Review status during next call

Hex “Trusted Publishers” proposal

• Stipend is ready
• Hex team is positive about the proposal
• Check with Holden about someone who might pick up the work

Hex vulnerability sync

• Informal proposal discussed with Hex team
• Automatically retire packages with known vulnerabilities
• Question: are “retired” and “mentioned in a vulnerability report” not two orthogonal things?
• Revisit after “Trusted Publishers” collaboration with Hex team

OCSP stapling

• Fixes coming to OTP27
• Details in OCSP stapling interop issues · Issue #8242 · erlang/otp · GitHub

Next meeting

Wed 29 May 2024 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST