By Tobias Zulauf on 2020-05-23 05:55 in Security Strike Team

Meeting Notes about the first informal JSST Meeting 2020 (2020-01)

Time: Monday, 19th of May 2020, 5pm UTC - 6pm UTC
Attendees: Benjamin Trenkle, Claire Mandville, George Wilson, Tobias Zulauf

About this new meeting format for the JSST Meeting
This meeting is intended to be an informal meeting only so the JSST leadership can update the team on ongoing things and current reports can be discussed. As well as the JSST Members can bring in topics they want to discuss with the team. This informal meeting is a fully optional meeting held using Google Meet. Depending on the topics (whether we are allowed to share them to the public or not) there will be irregular reports. For all official meetings where we have votings or motions or similar things to take there will always be a meeting report. But due to the nature of this team such official meetings will be very irregular as we usually act on issues reported to us or proactive work on security improvements in the public tracker.

Signing Joomla Core Updates
Over the last months. David worked on a document about “Secure Auto-Updates for Joomla”. To get that stuff out a long list of issues has to be addressed. They have now been identified and documented and that document is in the process and has been shared with the Department Coordinators as well as now the security team to get an initial round of feedback on that.

CMS Security Summit: The Update Framework (TUF)
At the CMS Security Summit held in Munich the security people from Drupal, TYPO3 and Joomla! met and discussed the issue on signing the core updates to get a secure auto-update experience and we found that TUF (The Update Framework) would be a good project to use for that reason. So the three projects formed an initiative where all the projects involved work together on a PHP version of the verification method of TUF. For that thing we now sended out a Doodle to the involved people in the other communities as well as shared that now with our team too. When there is someone from outside of the JSST that wants to join please contact Tobias Zulauf to get the details.

Path policy wording
As can be seen and read up in that issue here there is the need for more clarification on the new path policy that the production department decided on to make it clear what is meant by that new policy. This process has now been started with the department coordinators team and there will be an updated explanation on the motion / policy soon. Just to make one thing clear we do not nor have intend at any time to fork any composer libraries for that reason.

- Redacted Topics -