August 21, 2025

Participants: @varnerac, @Alistair, @kiko, Dan Janowski, @voltone, Michael Lubas, @maennchen, George Madi, @georgeguimaraes

OpenVEX in Erlang/OTP

• @kiko has been working on adding OpenVEX statements for OTP 26+
  • PR: https://github.com/erlang/otp/pull/9790
  • Forum announcement: OpenVEX in Erlang/OTP (testing phase)
• Affected version lists are verbose; necessary to ensure accuracy within the constraints of the spec
• PR will be merged soon, follow-up activity to improve automation

OTP release assets in CI

• Starting with Windows binaries, including code signing
• OTP team open to expanding this to include other platforms
  • Provided contributors continue to help with maintenance
  • Aim would be to eventually have binary distributions for all platforms in one place, signed where possible

CNA embargo list

• No feedback received on the PR Implement Pre-Disclosure List Policy by maennchen · Pull Request #61 · erlef-cna/website · GitHub
• Some concerns about using email to distribute undisclosed vulnerability information
  • Still, that’s how other CNAs seem to handle it
  • Also, if we use GH to provide selective access, GH will still send e.g. comment notifications through email
• Please comment on PR!

Collection of security articles on SecWG website

• No progress since last month
• Manage suggestions via GitHub PRs
  • Initial batch: Add Article Curation by maennchen · Pull Request #56 · erlef/security-wg · GitHub
  • Add content from Paraxial, AppSignal, Voltone blog, …

Doc warnings on dangerous functions

• Not all functions in Erlang/OTP that can potentially (indirectly) create atoms warn about the risks of untrusted input
• OTP team unsure whether we should aim for full coverage
  • It sets the expectation that any function without a warning is safe
• First step: review Preventing atom exhaustion | EEF Security WG and aim for completeness there

Next call

Wed September 18 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST