March 5, 2025

Participants: @maennchen, Daniel Janowski, @Alistair, @varnerac, @voltone

Updates from the CISO

CNA

• New dates in March proposed at Mitre’s request
• If/when meetings happen, CNA could be live in weeks

Grant Application

• Revised proposal, waiting for feedback
  • First phase is to pen-test existing package manager integrations
• Got first offers for pen-test providers
  • Started discussions with two, one for code review, one for red team
  • Recommendations? Share with @maennchen
• Started to define “initiative” for EEF website for the purpose of fundraising in general

OpenChain

• Elixir: done
• Gleam: work started

NIST SSDF Sub-Standard

• Work started by Jonatan to define an SSDF “profile”
  • Progress can be followed in Notion
  • Contributions welcome
• Alignment with other ecosystems would be useful
  • Just hard to find out who else might be working on something like this
  • We asked NIST, they do not have visibility (at this time)

HTTP Clients in the ecosystem

• Lots of clients, some not actively maintained
  • This state of things has security implications
• Some discussion on whether to adopt “Mint” approach for Erlang/OTP
  • Perhaps as part of OTP?
• Try and invite @ingela @kiko and perhaps Andrea next month

Distribution TLS by default

• Two operating modes can be considered:
  • PSK (not great with TLS 1.2, no support in OTP with TLS 1.3)
  • Shared self-signed certificate
• Goal is to have some (build) tooling to prepare a release config “automatically”
• Align with OpenRiak, looking for migration to secure cluster
  • Might need ability to listen both with and without TLS
• Configuring TLS settings at boot is tricky
• Next steps:
  • Continue digging and documenting in Notion
  • Discuss with OTP team, if they join next meeting (see above)

Next meeting

Wed 2 April 2025 at 16:00 CET / 15:00 GMT / 10am EST / 7am PST / 0:00 (Thu) JST