doc: CPC meeting minutes 2024-05-28 (#1308)

closes #1306 

---------

Signed-off-by: Joe Sepi <sepi@joesepi.com>
Signed-off-by: Tobie Langel <tobie@unlockopen.com>
Co-authored-by: Tobie Langel <tobie@unlockopen.com>
Co-authored-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>

meetings/2024/2024-05-28.md

@@ -0,0 +1,110 @@
+# OpenJS Foundation Cross Project Council Meeting 2024-05-28
+
+## Links
+
+* **Recording**: https://www.youtube.com/watch?v=XKtUkV5kf3M
+* **GitHub Issue**: https://github.com/openjs-foundation/cross-project-council/issues/1306
+
+## Present
+
+* Joe Sepi (@joesepi)
+* Ben Sternthal (@bensternthal)
+* Cody Zuschlag (@codyzu)
+* Robin Ginn (@rginn)
+* Paula Paul (@paulapaul)
+* Ulises Gascon (@UlisesGascon)
+* Meghan Denny (@nektro)
+* Marco Ippolito (@marco-ippolito)
+* Chris de Almeida (@ctcpip)
+* Jordan Harband (@ljharb)
+* Tobie Langel
+* Michael Dawson (@mhdawson)
+* Michaela Laurencin
+* Wes Todd
+* Claudio Wunder (@ovflowd)
+
+## Agenda
+
+### Announcements
+
+- No pending travel fund requests (one did come in with no $ amounts and more detail was requested). 
+- Standards working group immediately following the CPC meeting
+- 15 year birthday of Node.js yesterday! https://x.com/nodejs/status/1795110360510300397
+
+
+### Board Meeting Updates
+
+- https://github.com/openjs-foundation/cross-project-council/labels/waiting-on-board
+  - approved the charter changes consensus definition
+  - SQLite was approved on request of the Node.js project
+
+### Staff Updates
+
+- https://github.com/openjs-foundation/cross-project-council/labels/waiting-on-legal-info
+- https://github.com/openjs-foundation/cross-project-council/labels/waiting-on-staff-update
+- https://github.com/openjs-foundation/cross-project-council/labels/waiting-on-website-update
+
+*Extracted from **cross-project-council-agenda** labeled issues and pull requests from the **openjs-foundation org** prior to the meeting.
+
+### openjs-foundation/cross-project-council
+
+* Improving the security posture of the CPC [#1300](https://github.com/openjs-foundation/cross-project-council/issues/1300)
+  * Had two working sessions on this
+  * discussed leveraging same infrastructure and process as travel fund (form, spreadsheet, review)
+  * We have unblocked applications to become a regular member. One application has been accepted. 
+  * There were requests to have these decisions documented (including the decision to unblock applications), and what if anything has changed, other than more rigorous attention to following the existing process.
+  * There was a request for making this process clearer, including what is done in public vs. private. Intake and evaluation is proposed to be private, announcement is expected to be public. This does need to be documented and reconciled with existing process documentation. There is a motion to adopt the process in place for the travel fund. During the call there were no objections to this.
+  * Next steps: in the issue itself we need to clarify the requests/conditions for membership and ensure we have enough information to address that. Suggestion to do this work async.
+
+* Selection of new Code of Conduct Team Community Members [#1298](https://github.com/openjs-foundation/cross-project-council/issues/1298)
+
+* Document CoC Team selection process [#1297](https://github.com/openjs-foundation/cross-project-council/issues/1297)
+
+* Revisit CPC meeting times [#1289](https://github.com/openjs-foundation/cross-project-council/issues/1289)
+
+* We may not be able to accommodate changes that work across the board. Leaving this as is is the best choice at the moment, and we will revisit this over time. 
+Joe Sepi will follow up with one person who had concerns, and then close the issue.
+
+* Create new Ecosystem Sustainability Program [#1277](https://github.com/openjs-foundation/cross-project-council/issues/1277)
+
+* Document best practices for org/project organization [#1263](https://github.com/openjs-foundation/cross-project-council/issues/1263)
+
+* Community Voting Members - make project and community representation simpler [#1243](https://github.com/openjs-foundation/cross-project-council/issues/1243)
+
+* Refine CPC Definition Of Consensus  [#1241](https://github.com/openjs-foundation/cross-project-council/issues/1241)
+  * Believe this landed, nothing to talk about.
+
+* Requirements for Projects releasing internal projects to 3rd party contributor [#1133](https://github.com/openjs-foundation/cross-project-council/issues/1133)
+Discussion of how we can notify the community when new maintainers are added to the project (for security / disclosure purposes). Is this something the CPC controls, or is this under project control? The CPC can recommend, but not necessarily control outcomes. There is also a desire to avoid ostrich-ing ourselves. Is there a need for a statement/foundation stance on this topic. “No policy, discuss ad hoc” is a viable outcome.
+Using a software package implies a trust of the maintainers, including trust that they can add a maintainer (this is also true for commercial / non open source software). When ‘shopping around’ for someone to take ownership of a project that is somewhat different (but in what ways?)
+Are there any rules or governance for adopting or releasing to something/someone from outside the foundation? Is the liability different? 
+The implicit trust has included the right to audit new people - is that implicit trust no longer there (or do we need to make it explicit?). Comment that we have lost that trust, but it has also gone well in some areas. It’s gone very well in 99.9999+ cases, and poorly in some small numbers. Need to be aware of this.. 
+Next steps: Suggested: Create a policy specifically for handing off a project, and instead of a policy, a checklist that the CPC should review on each case. Low bureaucracy. We owe an answer as to whether you can just ‘give it away’ or if there are CPC considerations and process (to be developed).
+The existence of the CPC is a huge barrier to negative outcomes since it is a support network for maintainers to avoid making mistakes in a vacuum. Reference to recent challenges in the ecosystem that might have been avoided if there were this kind of structure/more people.
+
+* Code of Conduct Plan of Action [#1122](https://github.com/openjs-foundation/cross-project-council/issues/1122)
+
+* Standardize on Collab Spaces over Working Groups [#1110](https://github.com/openjs-foundation/cross-project-council/issues/1110)
+
+* IP Policy License Exemption Request - LoopBack [#885](https://github.com/openjs-foundation/cross-project-council/issues/885)
+
+### Next week's working session
+
+Are there any initiatives or agenda items that we should use a working session to further progress on?
+- https://github.com/openjs-foundation/cross-project-council/labels/cpc-working-session
+
+### Regular reviews
+
+Please review regularly our list of dates and reminders, our quarterly review issues, and check the list of issues that can be closed:
+
+- https://github.com/openjs-foundation/cross-project-council/blob/main/Dates-and-Reminders.md
+- https://github.com/openjs-foundation/cross-project-council/labels/cpc-quartely-review
+- https://github.com/openjs-foundation/cross-project-council/labels/cpc-can-issue-be-closed
+
+### Q&A, Other
+
+## Upcoming Meetings
+
+* **Calendar**: <https://calendar.openjsf.org>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.