This blog post addresses checksum and signature verification vulnerabilities affecting CPAN, the cpan client, and the cpanm client, which were published in a security advisory on 23rd November 2021. If you're not aware of this topic, you might like to start by reading the advisory. This post gives a high-level description of the issues, what has been done to address them, what is still left to do, and what you should do. If you have any questions on this, you can add comments here, or email the PAUSE admins (modules at perl dot org).

Before we dig into the details, we'll first give an overview of how the relevant parts of the CPAN ecosystem work.

If you're not interested in the details, skip to the section "What do you need to do?"

TL;DR: make sure your CPAN client uses https and a trusted mirror – such as cpan.org

Dear TPF Board members,

We want to express our disappointment with the recent transparency reports and associated actions from the Community Affairs Team (CAT).

On Monday 19th March, a first Transparency Report was issued, which said that an individual had been investigated for (1) behaviour on IRC and Twitter, and (2) behaviour at a Perl event in 2019. The report also reported that they had "found many instances of communication which alone may not have constituted unacceptable behavior, but when taken together did constitute unacceptable behavior", but no further details were given on those. The report issued a ban from all TPF events "in perpetuity", and furthermore issued a ban on the individual’s participation on irc.perl.org and any perl.org mailing lists. A second individual was issued a warning.

Prior to the 19th, one of the Perl Steering Council (PSC) members explicitly asked you not to issue a ban, saying that the PSC were already starting work on improving discourse in and around p5p. That person felt that a ban would be counterproductive when the PSC were trying to improve things in a more inclusive way. The second event was the Perl Toolchain Summit (PTS). The incident was investigated at the time, resulting in two of the organisers (Philippe Bruhat and Neil Bowers) asking the individual to leave. He left peacefully, expressing regret that he had upset and offended the other party. The PTS is not a TPF event.

Nearly two weeks after the initial report, TPF issued a Transparency Report Update, which retracted parts of the first report, but left other parts hazy. For example, the first report mentions other "unacceptable behaviour", but gives no further details in either report. The warning for the second individual was retracted.

The use of "transparency" seems incongruous:

• No charter for the CAT had been published, nor a common set of guidelines as the basis of triggering investigations or taking corrective actions.
• No definition for “unacceptable behavior” was provided.
• The CAT did not talk to the relevant communities or their leaders before publishing the initial report.
• The CAT had not spoken to either person investigated prior to publishing the first report.

These behaviours don't demonstrate the values and behaviours that we could reasonably expect of a body investigating community affairs. As the most visible and official Perl organization, TPF should hold itself to a higher standard.

This felt like a clumsy attempt by TPF to establish control over all Perl communities, and only when you got push-back did you attempt to wind some of that back. You do not have jurisdiction over IRC, email lists, or most other parts of our communities. It is not TPF/CAT’s role to request that people stop participating. We have not given you consent to unilaterally define policy across our communities, nor impose punishments on behalf of them.

We are all firm supporters of codes of conduct, where the goal is to set expectations for behaviour. Many of our individual communities have long defined and enforced their own guidelines and standards of conduct. That said, we believe that our communities could benefit from harmonising standards. This was an opportunity for TPF/CAT to demonstrate leadership, and start bringing our communities together towards a unified policy. Instead the TPF acted seemingly without consideration for the varied needs and devolved leadership of the communities it purports to represent.

This is not to say that we condone the individual's behaviour. Some signatories to this letter were part of the governing bodies that issued the initial corrective actions on the two incidents the CAT cited. We also do not want to diminish the upset and offence that the individual has caused to a number of people over the years.

We would like to see TPF acknowledge its failings in how this has been handled, and make changes to ensure these aren't repeated, but we're not looking for a blood-letting and further division. We would like to see this debacle as a catalyst for our communities coming together to move things forward. We need to clarify the organisation and governance structures of our communities, and start the process of defining common values and expectations around behaviour. This needs to be a community-led activity: given recent events, we don't feel that TPF/CAT is currently fit for a leadership role in this, but we would absolutely want your participation.

In volunteer communities such as ours, leadership is about doing the hard work of building consensus, not imposing your will on the rest of us. Leadership should be a service we provide to our communities.

Signed

Andreas König, Chief PAUSE Admin, White Camel award recipient
Andrew Shitov, conference organiser, White Camel award recipient
Ask Bjoern-Hansen, Perl NOC, runs perl.org, White Camel award recipient
Chris Prather, Admin for irc.perl.org, White Camel award recipient
Dave Cross, Perl trainer, regular speaker, author, Facebook group admin, White Camel award recipient
Kenichi Ishigaki, CPANTS Admin, PAUSE Admin
Neil Bowers, PAUSE Admin, event organiser, PSC member, White Camel award recipient
Olaf Alders, MetaCPAN founder and project lead
Philippe Bruhat, longtime event organiser, White Camel award recipient
Robert Spier, Perl NOC, runs perl.org/pm.org , White Camel award recipient
Thomas Klausner, event organiser, CPANTS Founder, White Camel award recipient
Tim Bunce, founder of the Module List, PAUSE Admin Emeritus, author of DBI, White Camel award recipient

Ricardo (Rik) Signes is a member of the Perl community who has helped the programming language move forward as far as features, stability, and popularity. Previously, he was Perl’s Pumpking (manager of the core Perl 5 language), during which time he oversaw 5 major releases. Currently, he is a board member at the Perl Foundation and CTO at Fastmail, leading a development team working in Perl every day.

This blog post is brought to you by Fastmail, a gold sponsor for PTS. More information about Fastmail is provided at the end of this article.

Every year at the Perl Toolchain Summit (PTS), there is some work done on PAUSE, but 2019 was a vintage year. In this blog post we'll remind you exactly what PAUSE is and does, and then take you through the major bits of PAUSE work done.

This blog post is brought to you by ZipRecruiter, who were a Gold sponsor for the PTS. More information about ZipRecruiter is provided at the end of this article.

The Perl Toolchain Summit (PTS) is happening this week in Marlow, on the banks of the River Thames, in the UK. Most of the attendees will gather on Wednesday evening, with the real business kicking off at 9am on Thursday morning. For the next four days 32 Perl developers will be working intensively on the tools that all Perl developers rely on.

Attendees log their activities on the wiki, and blog posts will appear during and after. You can see some of what goes on in semi real-time on twitter, via the #pts2019 hashtag.

We're extremely grateful to MaxMind, who once again are a Gold Sponsor for the PTS. The attendees are brought together from around the world, and we're only able to do this with the support of companies from our community, like MaxMind.

The Perl Toolchain Summit (PTS) is taking place later this month in Marlow, in the UK, as previously announced. This event brings together maintainers of most of the key systems and tools in the CPAN ecosystem, giving them a dedicated 4 days to work together. In this post we describe how the attendees are selected, and how we decide what everyone will work on. We're also giving you a chance to let us know if there are things you'd like to see worked on.

This blog post is brought to you by cPanel, who we're happy to announce are a Platinum sponsor for the PTS. cPanel are a well-known user and supporter of Perl, and we're very grateful for their support. More about cPanel at the end of this article.

This year's Perl Toolchain Summit (PTS) is being held in the UK, in the historic town of Marlow, which is about 30 miles west of London.

In this post we'll give an overview of the PTS and who attends, the venue, and the plans for this year. All of the attendees are volunteers, who mostly work on the CPAN ecosystem in their spare time, so the event is supported by sponsorship. If your company uses Perl, maybe you could support the PTS?

A group of Perl companies are sponsoring the COED:ETHICS conference, a one-day conference on ethics for developers and technologists, which is in London on July 13th.

Today is GDPR Day, and to celebrate that, the PAUSE admins have added a Privacy Policy to PAUSE. This tells you:

• what personal data is processed by PAUSE;
• what PAUSE does with that data;
• how that data is shared (with the rest of the CPAN ecosystem);
• PAUSE's lawful basis for holding your information (this is a GDPR term, which essentially answers the question "what gives PAUSE the right to hold your personal data?")
• what your rights are, and how to exercise them.

The policy is linked off the sidebar in PAUSE, and the source is a markdown document in PAUSE's github repo.

If you're still not sure what to do on CPAN Day this year, you could help me with one of my trickle projects: help us get META.yml and META.json files added to CPAN distributions that currently have neither.

Send me an email and I'll assign you a distribution. I've ordered the list of distributions based on how far up the CPAN River they are. Fixing these distributions results in more accurate river data, and will also help various tools and services.

CPAN Day marks the date of the first recorded upload to CPAN: Andreas König uploaded Symdump 1.20 (it's since been renamed Devel::Symdump).

On CPAN Day this year, you could do some small thing to help celebrate. This could be as simple as emailing the author of a module that you regularly use, and say "thank you". It may not sound like much, but it's great to be on the receiving end.

There are lots of other things you could do to help someone else's module. For a previous CPAN Day I posted a list of ideas.

Or if you've got your own distributions on CPAN, you could fix a bug, or merge an outstanding pull request *cough*. This year I plan to merge at least one PR, and do at least one release to CPAN. I'll submit a PR too.

What will you do?

The Perl Toolchain Summit (PTS) started yesterday (Thursday 11th May) in Lyon, France. 35 dedicated toolchain developers have assembled for four days of intensive discussions and co-working. Not only does a lot get done in these four days, but we send everyone home with longer todo lists, fired up to keep working on them.

The developers come from around the world, and we're only available to do this with the generous support of all of our sponsors. You've seen individual posts for our Platinum and Gold sponsors, but in this post we'd like to tell you about our other sponsors. If you get the chance, please thank them: all Perl developers benefit from this summit.

In this article I'm going to show you how to specify dependencies for your CPAN distributions: the other Perl and CPAN modules that your distribution relies on. This is the fourth article in a series. The first article gave a general introduction to distribution metadata. The second article introduced the five phases for which dependencies, or prerequisites, can be specified. The third article presented the types, or relationships, that can be specified for each dependency.

This article is brought to you by cPanel, Inc., a Gold sponsor for the Perl Toolchain Summit. cPanel are a well-known user and supporter of Perl, and we're very grateful for their support. More about cPanel at the end of this article.

The Perl Toolchain Summit (PTS) is the annual event where we assemble the people who are actively working on the Perl toolchain, and give them 4 days to work together. In this blog post, we'll look at how we decide what everyone will work on, and give you a chance to make suggestions.

This blog post is brought to you by Perl Jobs by Perl Careers, which as well as helping Perl programmers find jobs, supports a number of community events, including the QA Hackathon last year.

In the previous article in this series we gave a general introduction to the distribution metadata which is included in releases as files META.json and/or META.yml. In this article I'll drill into more detail at one critical component of a distribution's metadata: dependencies, also known as prerequisites (usually shortened to "prereqs"). This is how you specify other CPAN modules that your distribution depends on.

This post is brought to you by Booking.com, a platinum sponsor for the Perl Toolchain Summit. Booking.com is one of the largest Perl shops in the world, and so depends heavily on the toolchain. Thank you to Booking.com for supporting the summit.

All CPAN releases (these days) include a metadata file which has information about the distribution. It can be used by tools like CPAN clients (when installing modules), but it's also helpful for other tool writers, and people analysing the structure of CPAN. The metadata file will be called META.yml or META.json, and recent releases often contain both.

In this blog post we'll introduce some of what's in the files and how they're used by CPAN clients.

This post is brought to you by FastMail, a gold sponsor for this year's Toolchain Summit, which is being held in Lyon, France in May. The summit is only possible with the support of companies like FastMail. We'll be doing a series of toolchain-related blog posts, to thank our sponsors.

On Monday 27th March, the Thames Valley Perl Mongers (TVPM) are having a mini tech talks session in Reading. Talks are going to be about 15 minutes each. Speakers and topics are given below, along with details of the venue.

Any and all are welcome to join us.

This is the third in a series of articles about MetaCPAN. The first article described the two main parts that make up the MetaCPAN project, the API and the search interface. The second article gave a high level summary of how the API uses Elasticsearch to hold and search information about CPAN distributions and authors.

In this post we'll look at how MetaCPAN links to other parts of the CPAN ecosystem, how the physical setup has changed with MetaCPAN v1, and another service that v1 has made available.

This post is brought to you by Booking.com, our second platinum sponsor. Booking.com is one of the largest Perl shops in the world, and have done a lot to support our community over the years. Thank you to Booking.com for supporting meta::hack.

This is the second in a series of articles, which we're writing to celebrate meta::hack, our first MetaCPAN hackathon, which is currently (Nov 17th through 21st) taking place in Chicago.

This hackathon was by invitation only, since it had a very specific goal: completing migration of the live service to MetaCPAN v1 (which includes a major Elasticsearch upgrade, from 0.20 to 2.4, or nearly 70 stable releases forward). Once that's done, any remaining time will be spent fixing bugs, and discussing what comes next. The attendees are Olaf Alders (founder of MetaCPAN), Mickey Nasriachi, Leo Lapworth, Tom Sibley, Joel Berger, Doug Bell, Brad Lhotsky and Zach Dykstra. Matt Trout is contributing remotely.

This post is brought to you by cPanel, a platinum sponsor for meta::hack. cPanel are a well-known user and supporter of Perl, and we're very grateful for their support. More about cPanel at the end of this article.

This week a small group of dedicated Perl developers are gathering in Chicago for meta::hack, the first MetaCPAN hackathon. The primary goal is to complete the transition to Elasticsearch v2, a major undertaking that was started more than a year ago.

Because all the participants are volunteers, this was only possible with sponsorship. Over the next few days we'll be sharing information about MetaCPAN and the work going on, and acknowledging some of the key sponsors.

This post is brought to you by FastMail, a gold sponsor for meta::hack. FastMail is a stalwart supporter of the Perl community — they also sponsored the QA Hackathon this year.