Charter: Add instructions on how to join CPANSec

[sjn]

How does one join the CPAN Security group?

For now we don't have a formal process, so no vetting or chain of trust.

[garu]

do we have a draft for this? otherwise I can bring one next meeting and we buiild from there.

[sjn]

No draft. We talked about it at a meeting this spring and IIRC, @stigtsp had some opinions on the matter, but it didn't go anywhere. Feel free to put together a draft! :)

I've written an outline of an onboarding text, but since we're not using the forum much, I don't know if instructions like these can fit there, or if they should go in the charter. What do you think?

In any case, we don't really have much of a process at all, so anything you put together would probably be an improvement! :-D

[stigtsp]

My thoughts (in TLDR form) on that was:

• Anyone can join CPANSec and participate in the public forums
• CPANSec Triage and the cpan-security mailing list is invite only due to pre-release disclosure of vulnerabilities.
• CPANSec CNA (when/if it gets set up) would be invite only as it requires following CNA rules and procedures, and maybe onboarding trough root-CNA.

[garu]

@stigtsp Agreed. Do you also have thoughts on the how? E.g. "I wanna join! What do I do? How do I let people know? At which point in the process will I be able to say that I have joined successfully?"

[sjn]

Should we do some vetting? Or require an invitation/recommendation from an existing member? Or some other trust or background verification?

[Tux]

As the Governanbce project was closed, should this issue be closed or assigned to a new project?