CPANSec bi-weekly minutes

Agenda

• 2025-12-11 @ 16:00 UTC.
• Meeting intended on Element Call (native video chat in Element client), but due technical issues among some of the attendees, we moved to Google Meet.

Attending

• @jjatria, @sjn, @stigtsp, @thibaultduponchelle, @timlegge, Michael

Minutes

• Introductions
  • Michael (north-of-nowhere, mjmc) introduced himself, and was welcomed!
• @timlegge - year end wrap up for the CNA
  • @timlegge - @thibaultduponchelle wrote one last year, let’s do it again
  • @timlegge - CVE focused
  • @sjn - other topics too?
  • @timlegge - yes. Unsupported modules & coordination issues (w/@stigtsp)
  • @sjn - CRA; CONTRIBUTING.yml; etc.
  • @thibaultduponchelle - SBOM progress; CPAN module patching; Policy templates;
  • @stigtsp - Details on CVEs; PackageURLs
    • Aim to be ready medio January 2026 (good for PTS sponsoring)
  • @timlegge - organizes
• @sjn - FOSDEM
  • @sjn - I’ll be there, bringing stickers, helping organizing the Perl/Raku community booth.
  • @sjn - orgas may be renting screen for micro talks
    • @sjn - if this happens, @sjn gives one about cpansec
• @stigtsp - brief mention of showstoppers for PackageURL adoption in CVE and nixpkgs
  • @stigtsp - The current purl spec requires an author, but not a version. CVE spec requires at most one purl per vulnerability, which means CPAN purls don’t match well since they atm. require an author.
  • @jjatria - this seems solvable, let’s put together a meeting where we solve it.
  • @stigtsp - yes, let’s also define the problem space
  • @jjatria - organizes a meeting where we discuss this
  • @jjatria - let’s try for a deadline at ultimo January
  • @stigtsp - we need to get this done ASAP
• @stigsp - PTS?
  • @thibaultduponchelle - Second round of invites done; Venue search ongoing; we’re invited!
• AOB
  • @stigtsp - Happy holidays!

Next meeting

• @sjn - next meeting in 4 weeks exactly, January 8, 2026 @ 16:00 UTC (iCal)