This blog post addresses checksum and signature verification vulnerabilities affecting CPAN, the cpan client, and the cpanm client, which were published in a security advisory on 23rd November 2021. If you're not aware of this topic, you might like to start by reading the advisory. This post gives a high-level description of the issues, what has been done to address them, what is still left to do, and what you should do. If you have any questions on this, you can add comments here, or email the PAUSE admins (modules at perl dot org).

Before we dig into the details, we'll first give an overview of how the relevant parts of the CPAN ecosystem work.

If you're not interested in the details, skip to the section "What do you need to do?"

TL;DR: make sure your CPAN client uses https and a trusted mirror – such as cpan.org

Dear TPF Board members,

We want to express our disappointment with the recent transparency reports and associated actions from the Community Affairs Team (CAT).

On Monday 19th March, a first Transparency Report was issued, which said that an individual had been investigated for (1) behaviour on IRC and Twitter, and (2) behaviour at a Perl event in 2019. The report also reported that they had "found many instances of communication which alone may not have constituted unacceptable behavior, but when taken together did constitute unacceptable behavior", but no further details were given on those. The report issued a ban from all TPF events "in perpetuity", and furthermore issued a ban on the individual’s participation on irc.perl.org and any perl.org mailing lists. A second individual was issued a warning.

Prior to the 19th, one of the Perl Steering Council (PSC) members explicitly asked you not to issue a ban, saying that the PSC were already starting work on improving discourse in and around p5p. That person felt that a ban would be counterproductive when the PSC were trying to improve things in a more inclusive way. The second event was the Perl Toolchain Summit (PTS). The incident was investigated at the time, resulting in two of the organisers (Philippe Bruhat and Neil Bowers) asking the individual to leave. He left peacefully, expressing regret that he had upset and offended the other party. The PTS is not a TPF event.

Nearly two weeks after the initial report, TPF issued a Transparency Report Update, which retracted parts of the first report, but left other parts hazy. For example, the first report mentions other "unacceptable behaviour", but gives no further details in either report. The warning for the second individual was retracted.

The use of "transparency" seems incongruous:

• No charter for the CAT had been published, nor a common set of guidelines as the basis of triggering investigations or taking corrective actions.
• No definition for “unacceptable behavior” was provided.
• The CAT did not talk to the relevant communities or their leaders before publishing the initial report.
• The CAT had not spoken to either person investigated prior to publishing the first report.

These behaviours don't demonstrate the values and behaviours that we could reasonably expect of a body investigating community affairs. As the most visible and official Perl organization, TPF should hold itself to a higher standard.

This felt like a clumsy attempt by TPF to establish control over all Perl communities, and only when you got push-back did you attempt to wind some of that back. You do not have jurisdiction over IRC, email lists, or most other parts of our communities. It is not TPF/CAT’s role to request that people stop participating. We have not given you consent to unilaterally define policy across our communities, nor impose punishments on behalf of them.

We are all firm supporters of codes of conduct, where the goal is to set expectations for behaviour. Many of our individual communities have long defined and enforced their own guidelines and standards of conduct. That said, we believe that our communities could benefit from harmonising standards. This was an opportunity for TPF/CAT to demonstrate leadership, and start bringing our communities together towards a unified policy. Instead the TPF acted seemingly without consideration for the varied needs and devolved leadership of the communities it purports to represent.

This is not to say that we condone the individual's behaviour. Some signatories to this letter were part of the governing bodies that issued the initial corrective actions on the two incidents the CAT cited. We also do not want to diminish the upset and offence that the individual has caused to a number of people over the years.

We would like to see TPF acknowledge its failings in how this has been handled, and make changes to ensure these aren't repeated, but we're not looking for a blood-letting and further division. We would like to see this debacle as a catalyst for our communities coming together to move things forward. We need to clarify the organisation and governance structures of our communities, and start the process of defining common values and expectations around behaviour. This needs to be a community-led activity: given recent events, we don't feel that TPF/CAT is currently fit for a leadership role in this, but we would absolutely want your participation.

In volunteer communities such as ours, leadership is about doing the hard work of building consensus, not imposing your will on the rest of us. Leadership should be a service we provide to our communities.

Signed

Andreas König, Chief PAUSE Admin, White Camel award recipient
Andrew Shitov, conference organiser, White Camel award recipient
Ask Bjoern-Hansen, Perl NOC, runs perl.org, White Camel award recipient
Chris Prather, Admin for irc.perl.org, White Camel award recipient
Dave Cross, Perl trainer, regular speaker, author, Facebook group admin, White Camel award recipient
Kenichi Ishigaki, CPANTS Admin, PAUSE Admin
Neil Bowers, PAUSE Admin, event organiser, PSC member, White Camel award recipient
Olaf Alders, MetaCPAN founder and project lead
Philippe Bruhat, longtime event organiser, White Camel award recipient
Robert Spier, Perl NOC, runs perl.org/pm.org , White Camel award recipient
Thomas Klausner, event organiser, CPANTS Founder, White Camel award recipient
Tim Bunce, founder of the Module List, PAUSE Admin Emeritus, author of DBI, White Camel award recipient

Ricardo (Rik) Signes is a member of the Perl community who has helped the programming language move forward as far as features, stability, and popularity. Previously, he was Perl’s Pumpking (manager of the core Perl 5 language), during which time he oversaw 5 major releases. Currently, he is a board member at the Perl Foundation and CTO at Fastmail, leading a development team working in Perl every day.

This blog post is brought to you by Fastmail, a gold sponsor for PTS. More information about Fastmail is provided at the end of this article.

Every year at the Perl Toolchain Summit (PTS), there is some work done on PAUSE, but 2019 was a vintage year. In this blog post we'll remind you exactly what PAUSE is and does, and then take you through the major bits of PAUSE work done.

This blog post is brought to you by ZipRecruiter, who were a Gold sponsor for the PTS. More information about ZipRecruiter is provided at the end of this article.

The Perl Toolchain Summit (PTS) is happening this week in Marlow, on the banks of the River Thames, in the UK. Most of the attendees will gather on Wednesday evening, with the real business kicking off at 9am on Thursday morning. For the next four days 32 Perl developers will be working intensively on the tools that all Perl developers rely on.

Attendees log their activities on the wiki, and blog posts will appear during and after. You can see some of what goes on in semi real-time on twitter, via the #pts2019 hashtag.

We're extremely grateful to MaxMind, who once again are a Gold Sponsor for the PTS. The attendees are brought together from around the world, and we're only able to do this with the support of companies from our community, like MaxMind.

The Perl Toolchain Summit (PTS) is taking place later this month in Marlow, in the UK, as previously announced. This event brings together maintainers of most of the key systems and tools in the CPAN ecosystem, giving them a dedicated 4 days to work together. In this post we describe how the attendees are selected, and how we decide what everyone will work on. We're also giving you a chance to let us know if there are things you'd like to see worked on.

This blog post is brought to you by cPanel, who we're happy to announce are a Platinum sponsor for the PTS. cPanel are a well-known user and supporter of Perl, and we're very grateful for their support. More about cPanel at the end of this article.

This year's Perl Toolchain Summit (PTS) is being held in the UK, in the historic town of Marlow, which is about 30 miles west of London.

In this post we'll give an overview of the PTS and who attends, the venue, and the plans for this year. All of the attendees are volunteers, who mostly work on the CPAN ecosystem in their spare time, so the event is supported by sponsorship. If your company uses Perl, maybe you could support the PTS?

A group of Perl companies are sponsoring the COED:ETHICS conference, a one-day conference on ethics for developers and technologists, which is in London on July 13th.

Today is GDPR Day, and to celebrate that, the PAUSE admins have added a Privacy Policy to PAUSE. This tells you:

• what personal data is processed by PAUSE;
• what PAUSE does with that data;
• how that data is shared (with the rest of the CPAN ecosystem);
• PAUSE's lawful basis for holding your information (this is a GDPR term, which essentially answers the question "what gives PAUSE the right to hold your personal data?")
• what your rights are, and how to exercise them.

The policy is linked off the sidebar in PAUSE, and the source is a markdown document in PAUSE's github repo.

If you're still not sure what to do on CPAN Day this year, you could help me with one of my trickle projects: help us get META.yml and META.json files added to CPAN distributions that currently have neither.

Send me an email and I'll assign you a distribution. I've ordered the list of distributions based on how far up the CPAN River they are. Fixing these distributions results in more accurate river data, and will also help various tools and services.