Merge pull request #194 from CPAN-Security/minutes-2025-12-11

thibaultduponchelle · web-flow · commit 9ff391378683 · 2025-12-18T08:25:10.000+01:00
Minutes for 2025-12-11 meeting
diff --git a/meetings/README.md b/meetings/README.md
@@ -24,6 +24,9 @@ title: CPANSec meeting details & minutes
 
 Meeting minutes [currently under review](https://github.com/CPAN-Security/security.metacpan.org/pulls?q=is%3Apr+is%3Aopen+label%3Aminutes) on Github (usually available some days after a meeting).
 
+### 2026
+* [2026-01-08](cpansec-minutes-2026-01-08.md)
+
 ### 2025
 * [2025-01-08](cpansec-minutes-2025-01-08.md)
 * [2025-01-22](cpansec-minutes-2025-01-22.md)
@@ -38,6 +41,8 @@ Meeting minutes [currently under review](https://github.com/CPAN-Security/securi
 * [2025-06-04](cpansec-minutes-2025-06-04.md)
 * [2025-06-18](cpansec-minutes-2025-06-18.md)
 
+* [2025-12-11](cpansec-minutes-2025-12-11.md)
+
 ### 2024
 * [2024-01-06](cpansec-minutes-2024-01-06.md)
 * [2024-01-20](cpansec-minutes-2024-01-20.md)
@@ -70,41 +75,3 @@ Meeting minutes [currently under review](https://github.com/CPAN-Security/securi
     - Sub-items without checkboxes are summaries or notes to the previous item
 - Items without checkboxes or @names are for information or finding volunteers
 - [ ] Create tickets items are around for too long, or no-one volunteers
-
-### Tasks
-- [ ] @name - **Tasks that need to happen** after the meeting get an empty checkbox and the @name of the person leading the work (possibly with helpers);
-    - Relevant information can be added as sub-items
-    - [ ] @name - Tasks in sub-items are sub-tasks, and have a @name associated
-- [ ] @name - **Tasks that weren't completed** until this meeting have their checkbox remain unfilled, so we remember to find out again during the next meeting if the task is done
-- [x] @sjn - **Tasks that are completed** get their checkbox filled with an `X`
-- [x] Tasks without a @name associated need to get a @name, so we don't leave tasks lying around unadressed
-    - If none volunteer, we create a ticket in the appropriate project; The checkbox is filled with an `X`, and therby scheduled for deletion (see below)
-    - Alternatively, note that voluteers are needed, and *leave the item checkbox empty*
-
-### Topics
-- [ ] @name - **Topics that need to be discussed** during the meeting get an empty checkbox and the @name of the person leading the discussion (possibly with others)
-    - Topics can have additional relevant information added as sub-items
-- [ ] @name - **Topics that weren't discussed** during a meeting have their checkbox remain unfilled, so we remember to discuss them during the next meeting
-- [x] @name - **Topics that have been discussed** get sub-items added with key points and decisions, and their checkbox filled with an `X`
-- @name - Items without a checkbox are for information only. Keep it brief, and have key points added as sub-items. The @name shares the information
-    - Sub-items without a name or checkbox contain key points, or additional information to the previous points
-    - [ ] @name - Sub-items like these can have tasks and topics too, just as above
-- [x] **Topics without a @name associated**, get a @name associated.
-    - If none volunteer, the topic isn't important enough; Make a ticket or not; Fill the checkbox with an `X`, so it is scheduled for deletion.
-    - Alternatively, leave the item checkbox empty, and note that volunteers are needed
-
-### Events
-- [ ] **Events in the future** have an empty checkbox
-    - Add the @names of who is likely to attend, so they may submit/prepare talks, coordinate, etc.
-- [x] **Events in the past** get their checkbox filled with an `X`
-    - Add a few key learnings from attendees, if relevant!
-- [x] **Events that nobody is likely to attend** get their checkbox filled with an `X`
-
-### When creating the Minutes
-- [x] When creating the minutes, utems with filled checkboxes remain as-is. Do NOT delete!
-    - [X] _This item is done, so record it in the minutes as-is_ 
-
-### When creating the Agenda
-- [x] When a NEW agenda is created from the previous meeting minutes, items with filled checkboxes are deleted: they aren't relevant any more!
-    - [X] _~~This item is done, so we delete ut when preparing the next meeting agenda~~_
-
diff --git a/meetings/cpansec-minutes-2025-12-11.md b/meetings/cpansec-minutes-2025-12-11.md
@@ -0,0 +1,42 @@
+# CPANSec bi-weekly meeting 2025-12-11
+
+- 2025-12-11 @ 16:00 UTC.
+- Meeting intended on Element Call (native video chat in Element client), but due technical issues among some of the attendees, we moved to Google Meet.
+
+## Attending
+
+- @jjatria, @sjn, @stigtsp, @thibaultduponchelle, @timlegge, Michael
+
+## Minutes
+
+- [x] Introductions
+  - Michael (north-of-nowhere, mjmc) introduced himself, and was welcomed!
+- [x] @timlegge - year end wrap up for the CNA
+  - @timlegge - @thibaultduponchelle wrote one last year, let's do it again
+  - @timlegge - CVE focused
+  - @sjn - other topics too?
+  - @timlegge - yes. Unsupported modules & coordination issues (w/@stigtsp)
+  - @sjn - CRA; CONTRIBUTING.yml; etc.
+  - @thibaultduponchelle - SBOM progress; CPAN module patching; Policy templates;
+  - @stigtsp - Details on CVEs; PackageURLs
+    - Aim to be ready medio January 2026 (good for PTS sponsoring)
+  - [ ] @timlegge - organizes
+- [x] @sjn - FOSDEM
+  - @sjn - I'll be there, bringing stickers, helping organizing the Perl/Raku community booth.
+  - @sjn - orgas may be renting screen for micro talks
+    - [ ] @sjn - if this happens, @sjn gives one about cpansec
+- [x] @stigtsp - brief mention of showstoppers for PackageURL adoption in CVE and nixpkgs
+  - @stigtsp - The current purl spec requires an author, but not a version. CVE spec requires at most one purl per vulnerability, which means CPAN purls don't match well since they atm. require an author.
+  - @jjatria - this seems solvable, let's put together a meeting where we solve it.
+  - @stigtsp - yes, let's also define the problem space
+  - [ ] @jjatria - organizes a meeting where we discuss this
+  - @jjatria - let's try for a deadline at ultimo January
+  - @stigtsp - we need to get this done ASAP
+- [x] @stigsp - PTS?
+  - @thibaultduponchelle - Second round of invites done; Venue search ongoing; we're invited!
+- [x] AOB
+  - @stigtsp - Happy holidays!
+
+## Next meeting
+
+- [ ] @sjn - next meeting in 4 weeks exactly, January 8, 2026 @ 16:00 UTC ([iCal](https://calendar.google.com/calendar/event?action=TEMPLATE&tmeid=Y2dncTltMG5ocWRqdWV0ZXY1YzlqNm1tZW5fMjAyNjAxMDhUMTYwMDAwWiA2OTE1ODRlM2RiN2QwYTg3N2I0MzQ4MmZjOTk2ZWFhZTk5ODRjZjhiYTBiNzY5ZDVkMDBkMDQyYTMyZjljNjZlQGc&tmsrc=691584e3db7d0a877b43482fc996eaae9984cf8ba0b769d5d00d042a32f9c66e%40group.calendar.google.com))
