Skip to content

Add draft minutes from 2025-09-17 meeting #192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thibaultduponchelle merged 2 commits into from
Dec 18, 2025
Merged

Add draft minutes from 2025-09-17 meeting #192

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
52ecfa3
Add draft minutes from 2025-09-17 meeting
robrwo Sep 18, 2025
0d57efc
Merge branch 'main' into rrwo/meeting-minutes-2025-09-17
thibaultduponchelle Dec 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions meetings/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ Meeting minutes [currently under review](https://github.com/CPAN-Security/securi
* [2025-05-21](cpansec-minutes-2025-05-21.md)
* [2025-06-04](cpansec-minutes-2025-06-04.md)
* [2025-06-18](cpansec-minutes-2025-06-18.md)
* [2025-09-17](cpansec-minutes-2025-09-17.md)

### 2024
* [2024-01-06](cpansec-minutes-2024-01-06.md)
Expand Down Expand Up @@ -102,9 +103,8 @@ Meeting minutes [currently under review](https://github.com/CPAN-Security/securi

### When creating the Minutes
- [x] When creating the minutes, utems with filled checkboxes remain as-is. Do NOT delete!
- [X] _This item is done, so record it in the minutes as-is_
- [X] _This item is done, so record it in the minutes as-is_

### When creating the Agenda
- [x] When a NEW agenda is created from the previous meeting minutes, items with filled checkboxes are deleted: they aren't relevant any more!
- [X] _~~This item is done, so we delete ut when preparing the next meeting agenda~~_

95 changes: 95 additions & 0 deletions meetings/cpansec-minutes-2025-09-17.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
---
layout: page
toc: true
meeting_time: 2025-08-20 16:00 UTC
title: CPANSec bi-weekly minutes
---

[TOC]

## Agenda & Meeting Details 2025-09-17

## 17:30 UTC - Pre-meeting socializing
- Socializing & getting up to speed before the meeting starts properly
- Discuss organizing projects, swimlanes and issues (...)
- Check and resolve technical (A/V) issues before the meeting starts
- Come as you are!

## 18:00 UTC - Meeting start

### Welcome
- Meeting chair:
- Meeting scribe:

### Attendees, absents & regrets
- Attendees @robrwo, @sjn
- Partly attending @leon
- Regrets @timlegge @tib

### Approve previous meeting minutes

## Agenda

### Current matters & Ongoing vulnerabilities
- JSON::XS and related vulns patched, coordinated releases

#### PAUSE
- [x] @tib Completed the 2 hardening fixes (already said on July meeting) on PAUSE, chased admins: they said they will merge and deploy soon
- [x] @tib Pentesting PAUSE: completed all things around forms (upload, create user, etc…). No vulnerability found
- [ ] @robrwo PAUSE rules update stalled

### New method of generating agenda
- https://github.com/orgs/CPAN-Security/projects/12 "For discussion" column
- evolving, need to think if Tasks to make this easier
- Needs issues from other projects/repos

### Separate meetings for projects/teams?

### CPAN Modules with vulnerable vendored (bundled/embedded) dependencies
- @robrwo stalled

### security.metacpan.org website
- [Header and teaser images for news and blog posts](https://github.com/CPAN-Security/security.metacpan.org/pull/186)
- Other blog posts

### CPAN::Meta v3 and SBOM
- https://github.com/CPAN-Security/perl-SBOM-Examples
- metadata is not usually installed
- @sjn suggests raising issue for CPAN::Meta spec for Toolchain Gang
- help CPAN maints create source SBOMs and make it easier for build tools
like cpan/cpanminus etc can output SBOMs or use a tool too
- @sjn explained different types of SBOMs (source v build)

### Document CNA Workflow
- @robrwo

### Security policies

#### Address blockers to adding security policies
- https://github.com/CPAN-Security/security.metacpan.org/issues/189 @robwo
- Desire for a simpler, tiny policy
- Dual-life modules
- Projects with multiple maintainers who cannot agree
- @tobyink had mentioned to @robrwo that people may not see separate doc vs inside POD
- @leon considers this a feature: force users to see latest document
- [need tools to extract metadata and show users community documentation](https://github.com/CPAN-Security/security.metacpan.org/issues/190)
- but needs metadata saved somewhere on install
- we need to limit scope: this is a security policy
- @sjn points out that users are interested in the *promises* from a policy
- @leon points out that we don't really know what authors actually need
- @robrwo to elaborate on these issues, perhaps create sub-issues, and communicate with P5P about dual-life

#### Add Support and Security Considerations sections
- https://github.com/CPAN-Security/security.metacpan.org/issues/174
- More SBOM-friendly. Mainly reorganising.
- @robrwo has been separately thinking about relation of module POD to Security Policies
- Need to document various "community health" documents and recommended POD sections

#### Popular modules without sec policies
- https://github.com/CPAN-Security/security.metacpan.org/issues/165
- @robrwo requested 100+ dists add policieS, about 15% added them
- stalled

### Social Media
- @sjn
- CVE announcements should have short versions but fits into 180 chars as an output and auto-published on bluesky/masto/reddit/perlmonks