Merge pull request #192 from robrwo/rrwo/meeting-minutes-2025-09-17

Add draft minutes from 2025-09-17 meeting

Author: thibaultduponchelle

meetings/README.md

@@ -40,6 +40,7 @@ Meeting minutes [currently under review](https://github.com/CPAN-Security/securi
 * [2025-05-21](cpansec-minutes-2025-05-21.md)
 * [2025-06-04](cpansec-minutes-2025-06-04.md)
 * [2025-06-18](cpansec-minutes-2025-06-18.md)
+* [2025-09-17](cpansec-minutes-2025-09-17.md)
 
 * [2025-12-11](cpansec-minutes-2025-12-11.md)
 
@@ -75,3 +76,40 @@ Meeting minutes [currently under review](https://github.com/CPAN-Security/securi
     - Sub-items without checkboxes are summaries or notes to the previous item
 - Items without checkboxes or @names are for information or finding volunteers
 - [ ] Create tickets items are around for too long, or no-one volunteers
+
+### Tasks
+- [ ] @name - **Tasks that need to happen** after the meeting get an empty checkbox and the @name of the person leading the work (possibly with helpers);
+    - Relevant information can be added as sub-items
+    - [ ] @name - Tasks in sub-items are sub-tasks, and have a @name associated
+- [ ] @name - **Tasks that weren't completed** until this meeting have their checkbox remain unfilled, so we remember to find out again during the next meeting if the task is done
+- [x] @sjn - **Tasks that are completed** get their checkbox filled with an `X`
+- [x] Tasks without a @name associated need to get a @name, so we don't leave tasks lying around unadressed
+    - If none volunteer, we create a ticket in the appropriate project; The checkbox is filled with an `X`, and therby scheduled for deletion (see below)
+    - Alternatively, note that voluteers are needed, and *leave the item checkbox empty*
+
+### Topics
+- [ ] @name - **Topics that need to be discussed** during the meeting get an empty checkbox and the @name of the person leading the discussion (possibly with others)
+    - Topics can have additional relevant information added as sub-items
+- [ ] @name - **Topics that weren't discussed** during a meeting have their checkbox remain unfilled, so we remember to discuss them during the next meeting
+- [x] @name - **Topics that have been discussed** get sub-items added with key points and decisions, and their checkbox filled with an `X`
+- @name - Items without a checkbox are for information only. Keep it brief, and have key points added as sub-items. The @name shares the information
+    - Sub-items without a name or checkbox contain key points, or additional information to the previous points
+    - [ ] @name - Sub-items like these can have tasks and topics too, just as above
+- [x] **Topics without a @name associated**, get a @name associated.
+    - If none volunteer, the topic isn't important enough; Make a ticket or not; Fill the checkbox with an `X`, so it is scheduled for deletion.
+    - Alternatively, leave the item checkbox empty, and note that volunteers are needed
+
+### Events
+- [ ] **Events in the future** have an empty checkbox
+    - Add the @names of who is likely to attend, so they may submit/prepare talks, coordinate, etc.
+- [x] **Events in the past** get their checkbox filled with an `X`
+    - Add a few key learnings from attendees, if relevant!
+- [x] **Events that nobody is likely to attend** get their checkbox filled with an `X`
+
+### When creating the Minutes
+- [x] When creating the minutes, utems with filled checkboxes remain as-is. Do NOT delete!
+    - [X] _This item is done, so record it in the minutes as-is_
+
+### When creating the Agenda
+- [x] When a NEW agenda is created from the previous meeting minutes, items with filled checkboxes are deleted: they aren't relevant any more!
+    - [X] _~~This item is done, so we delete ut when preparing the next meeting agenda~~_

meetings/cpansec-minutes-2025-09-17.md

@@ -0,0 +1,95 @@
+---
+layout: page
+toc: true
+meeting_time: 2025-08-20 16:00 UTC
+title: CPANSec bi-weekly minutes
+---
+
+[TOC]
+
+## Agenda & Meeting Details 2025-09-17
+
+## 17:30 UTC - Pre-meeting socializing
+-   Socializing & getting up to speed before the meeting starts properly
+-   Discuss organizing projects, swimlanes and issues (...)
+-   Check and resolve technical (A/V) issues before the meeting starts
+-   Come as you are!
+
+## 18:00 UTC - Meeting start
+
+### Welcome
+-   Meeting chair:
+-   Meeting scribe:
+
+### Attendees, absents & regrets
+-   Attendees @robrwo, @sjn
+-   Partly attending @leon
+-   Regrets @timlegge @tib
+
+### Approve previous meeting minutes
+
+## Agenda
+
+### Current matters & Ongoing vulnerabilities
+- JSON::XS and related vulns patched, coordinated releases
+
+#### PAUSE
+- [x] @tib Completed the 2 hardening fixes (already said on July meeting) on PAUSE, chased admins: they said they will merge and deploy soon
+- [x] @tib Pentesting PAUSE: completed all things around forms (upload, create user, etc…). No vulnerability found
+- [ ] @robrwo PAUSE rules update stalled
+
+### New method of generating agenda
+- https://github.com/orgs/CPAN-Security/projects/12 "For discussion" column
+- evolving, need to think if Tasks to make this easier
+- Needs issues from other projects/repos
+
+### Separate meetings for projects/teams?
+
+### CPAN Modules with vulnerable vendored (bundled/embedded) dependencies
+- @robrwo stalled
+
+### security.metacpan.org website
+- [Header and teaser images for news and blog posts](https://github.com/CPAN-Security/security.metacpan.org/pull/186)
+- Other blog posts
+
+### CPAN::Meta v3 and SBOM
+- https://github.com/CPAN-Security/perl-SBOM-Examples
+- metadata is not usually installed
+  - @sjn suggests raising issue for CPAN::Meta spec for Toolchain Gang
+  - help CPAN maints create source SBOMs and make it easier for build tools
+    like cpan/cpanminus etc can output SBOMs or use a tool too
+   - @sjn explained different types of SBOMs (source v build)
+
+### Document CNA Workflow
+- @robrwo
+
+### Security policies
+
+#### Address blockers to adding security policies
+- https://github.com/CPAN-Security/security.metacpan.org/issues/189 @robwo
+  - Desire for a simpler, tiny policy
+  - Dual-life modules
+  - Projects with multiple maintainers who cannot agree
+  - @tobyink had mentioned to @robrwo that people may not see separate doc vs inside POD
+    - @leon considers this a feature: force users to see latest document
+    - [need tools to extract metadata and show users community documentation](https://github.com/CPAN-Security/security.metacpan.org/issues/190)
+      - but needs metadata saved somewhere on install
+      - we need to limit scope: this is a security policy
+  - @sjn points out that users are interested in the *promises* from a policy
+  - @leon points out that we don't really know what authors actually need
+  - @robrwo to elaborate on these issues, perhaps create sub-issues, and communicate with P5P about dual-life
+
+#### Add Support and Security Considerations sections
+- https://github.com/CPAN-Security/security.metacpan.org/issues/174
+- More SBOM-friendly. Mainly reorganising.
+- @robrwo has been separately thinking about relation of module POD to Security Policies
+  - Need to document various "community health" documents and recommended POD sections
+
+#### Popular modules without sec policies
+- https://github.com/CPAN-Security/security.metacpan.org/issues/165
+- @robrwo requested 100+ dists add policieS, about 15% added them
+- stalled
+
+### Social Media
+- @sjn
+- CVE announcements should have short versions but fits into 180 chars as an output and auto-published on bluesky/masto/reddit/perlmonks