December 10, 2025
Participants: Lee Barney, @maennchen, @voltone, Dan Janowski, Paul Swartz, @varnerac, @peerst, George Madi, @kiko
Updates from the CISO
- Package URL (purl) type “otp” is now official:
- Has been in use by EEF CNA for a while
- purl Hex package has been updated
- OSV.dev export of EEF CNA CVEs is now operational:
- Better accuracy, including full affected versions list
- SBOM tooling grant work started:
- Mix sbom tool moved to EEF, updated
- Also released as stand-alone binary
- rebar3_sbom moved to EEF, updates in progress
- After that: integrate into ORT
- Mix sbom tool moved to EEF, updated
- Hex security audit Alpha-Omega grant:
- Signed and announced (on Slack at least)
- Preparations have started
- In particular: how to test against staging environment
- Testing starts in January, aiming to be done by early March
- FOSdem 2026:
- Several talk proposals submitted by WG members
- Keep en eye on the website for announcements in coming days
- Also panel participation
- Several talk proposals submitted by WG members
OpenVEX in OTP 28.3
- See announcement post
- TL;DR:
- 28.3 includes SPDX SBOM with references to available OpenVEX statements
- OpenVex statements are available from 26 onwards
- Work on signing is ongoing
Erlang secure coding standard proposal
- See OTP PR
- Current draft here (may be outdated; please use GH to navigate from PR to the latest version)
Eclipse Biscuit
- Dan started looking into Biscuit
- May create a package wrapping official implementation using Rustler
Next meeting
Wed January 7 at 16:00 CET / 15:00 GMT / 10am EST / 7am PST / 00:00 JST (so effectively Thu)