Add draft minutes from 2025-09-17 meeting

Author: robrwo

meetings/README.md

@@ -37,6 +37,7 @@ Meeting minutes [currently under review](https://github.com/CPAN-Security/securi
 * [2025-05-21](cpansec-minutes-2025-05-21.md)
 * [2025-06-04](cpansec-minutes-2025-06-04.md)
 * [2025-06-18](cpansec-minutes-2025-06-18.md)
+* [2025-09-17](cpansec-minutes-2025-09-17.md)
 
 ### 2024
 * [2024-01-06](cpansec-minutes-2024-01-06.md)
@@ -102,9 +103,8 @@ Meeting minutes [currently under review](https://github.com/CPAN-Security/securi
 
 ### When creating the Minutes
 - [x] When creating the minutes, utems with filled checkboxes remain as-is. Do NOT delete!
-    - [X] _This item is done, so record it in the minutes as-is_ 
+    - [X] _This item is done, so record it in the minutes as-is_
 
 ### When creating the Agenda
 - [x] When a NEW agenda is created from the previous meeting minutes, items with filled checkboxes are deleted: they aren't relevant any more!
     - [X] _~~This item is done, so we delete ut when preparing the next meeting agenda~~_
-

meetings/cpansec-minutes-2025-09-17.md

@@ -0,0 +1,95 @@
+---
+layout: page
+toc: true
+meeting_time: 2025-08-20 16:00 UTC
+title: CPANSec bi-weekly minutes
+---
+
+[TOC]
+
+## Agenda & Meeting Details 2025-09-17
+
+## 17:30 UTC - Pre-meeting socializing
+-   Socializing & getting up to speed before the meeting starts properly
+-   Discuss organizing projects, swimlanes and issues (...)
+-   Check and resolve technical (A/V) issues before the meeting starts
+-   Come as you are!
+
+## 18:00 UTC - Meeting start
+
+### Welcome
+-   Meeting chair:
+-   Meeting scribe:
+
+### Attendees, absents & regrets
+-   Attendees @robrwo, @sjn
+-   Partly attending @leon
+-   Regrets @timlegge @tib
+
+### Approve previous meeting minutes
+
+## Agenda
+
+### Current matters & Ongoing vulnerabilities
+- JSON::XS and related vulns patched, coordinated releases
+
+#### PAUSE
+- [x] @tib Completed the 2 hardening fixes (already said on July meeting) on PAUSE, chased admins: they said they will merge and deploy soon
+- [x] @tib Pentesting PAUSE: completed all things around forms (upload, create user, etc…). No vulnerability found
+- [ ] @robrwo PAUSE rules update stalled
+
+### New method of generating agenda
+- https://github.com/orgs/CPAN-Security/projects/12 "For discussion" column
+- evolving, need to think if Tasks to make this easier
+- Needs issues from other projects/repos
+
+### Separate meetings for projects/teams?
+
+### CPAN Modules with vulnerable vendored (bundled/embedded) dependencies
+- @robrwo stalled
+
+### security.metacpan.org website
+- [Header and teaser images for news and blog posts](https://github.com/CPAN-Security/security.metacpan.org/pull/186)
+- Other blog posts
+
+### CPAN::Meta v3 and SBOM
+- https://github.com/CPAN-Security/perl-SBOM-Examples
+- metadata is not usually installed
+  - @sjn suggests raising issue for CPAN::Meta spec for Toolchain Gang
+  - help CPAN maints create source SBOMs and make it easier for build tools
+    like cpan/cpanminus etc can output SBOMs or use a tool too
+   - @sjn explained different types of SBOMs (source v build)
+
+### Document CNA Workflow
+- @robrwo
+
+### Security policies
+
+#### Address blockers to adding security policies
+- https://github.com/CPAN-Security/security.metacpan.org/issues/189 @robwo
+  - Desire for a simpler, tiny policy
+  - Dual-life modules
+  - Projects with multiple maintainers who cannot agree
+  - @tobyink had mentioned to @robrwo that people may not see separate doc vs inside POD
+    - @leon considers this a feature: force users to see latest document
+    - [need tools to extract metadata and show users community documentation](https://github.com/CPAN-Security/security.metacpan.org/issues/190)
+      - but needs metadata saved somewhere on install
+      - we need to limit scope: this is a security policy
+  - @sjn points out that users are interested in the *promises* from a policy
+  - @leon points out that we don't really know what authors actually need
+  - @robrwo to elaborate on these issues, perhaps create sub-issues, and communicate with P5P about dual-life
+
+#### Add Support and Security Considerations sections
+- https://github.com/CPAN-Security/security.metacpan.org/issues/174
+- More SBOM-friendly. Mainly reorganising.
+- @robrwo has been separately thinking about relation of module POD to Security Policies
+  - Need to document various "community health" documents and recommended POD sections
+
+#### Popular modules without sec policies
+- https://github.com/CPAN-Security/security.metacpan.org/issues/165
+- @robrwo requested 100+ dists add policieS, about 15% added them
+- stalled
+
+### Social Media
+- @sjn
+- CVE announcements should have short versions but fits into 180 chars as an output and auto-published on bluesky/masto/reddit/perlmonks