Addressing CPAN vulnerabilities related to checksums

This blog post addresses checksum and signature verification vulnerabilities affecting CPAN, the cpan client, and the cpanm client, which were published in a security advisory on 23rd November 2021. If you're not aware of this topic, you might like to start by reading the advisory. This post gives a high-level description of the issues, what has been done to address them, what is still left to do, and what you should do. If you have any questions on this, you can add comments here, or email the PAUSE admins (modules at perl dot org).

Before we dig into the details, we'll first give an overview of how the relevant parts of the CPAN ecosystem work.

If you're not interested in the details, skip to the section "What do you need to do?"

TL;DR: make sure your CPAN client uses https and a trusted mirror – such as cpan.org

Making Taint support optional in Perl

One of the changes to Perl that we're considering on p5p (the perl5-porters mailing list) is the removal of taint support. The first step towards that is to add a Configure option that lets you build a Perl without taint support.

In this post I'll explain what we're considering, and why. The purpose of this post is to let everyone beyond p5p know about this, and give you a chance to comment.

Open Letter to the Perl Foundation Board

Dear TPF Board members,

We want to express our disappointment with the recent transparency reports and associated actions from the Community Affairs Team (CAT).

On Monday 19th March, a first Transparency Report was issued, which said that an individual had been investigated for (1) behaviour on IRC and Twitter, and (2) behaviour at a Perl event in 2019. The report also reported that they had "found many instances of communication which alone may not have constituted unacceptable behavior, but when taken together did constitute unacceptable behavior", but no further details were given on those. The report issued a ban from all TPF events "in perpetuity", and furthermore issued a ban on the individual’s participation on irc.perl.org and any perl.org mailing lists. A second individual was issued a warning.

Prior to the 19th, one of the Perl Steering Council (PSC) members explicitly asked you not to issue a ban, saying that the PSC were already starting work on improving discourse in and around p5p. That person felt that a ban would be counterproductive when the PSC were trying to improve things in a more inclusive way. The second event was the Perl Toolchain Summit (PTS). The incident was investigated at the time, resulting in two of the organisers (Philippe Bruhat and Neil Bowers) asking the individual to leave. He left peacefully, expressing regret that he had upset and offended the other party. The PTS is not a TPF event.

Nearly two weeks after the initial report, TPF issued a Transparency Report Update, which retracted parts of the first report, but left other parts hazy. For example, the first report mentions other "unacceptable behaviour", but gives no further details in either report. The warning for the second individual was retracted.

The use of "transparency" seems incongruous:

  • No charter for the CAT had been published, nor a common set of guidelines as the basis of triggering investigations or taking corrective actions.
  • No definition for “unacceptable behavior” was provided.
  • The CAT did not talk to the relevant communities or their leaders before publishing the initial report.
  • The CAT had not spoken to either person investigated prior to publishing the first report.

These behaviours don't demonstrate the values and behaviours that we could reasonably expect of a body investigating community affairs. As the most visible and official Perl organization, TPF should hold itself to a higher standard.

This felt like a clumsy attempt by TPF to establish control over all Perl communities, and only when you got push-back did you attempt to wind some of that back. You do not have jurisdiction over IRC, email lists, or most other parts of our communities. It is not TPF/CAT’s role to request that people stop participating. We have not given you consent to unilaterally define policy across our communities, nor impose punishments on behalf of them.

We are all firm supporters of codes of conduct, where the goal is to set expectations for behaviour. Many of our individual communities have long defined and enforced their own guidelines and standards of conduct. That said, we believe that our communities could benefit from harmonising standards. This was an opportunity for TPF/CAT to demonstrate leadership, and start bringing our communities together towards a unified policy. Instead the TPF acted seemingly without consideration for the varied needs and devolved leadership of the communities it purports to represent.

This is not to say that we condone the individual's behaviour. Some signatories to this letter were part of the governing bodies that issued the initial corrective actions on the two incidents the CAT cited. We also do not want to diminish the upset and offence that the individual has caused to a number of people over the years.

We would like to see TPF acknowledge its failings in how this has been handled, and make changes to ensure these aren't repeated, but we're not looking for a blood-letting and further division. We would like to see this debacle as a catalyst for our communities coming together to move things forward. We need to clarify the organisation and governance structures of our communities, and start the process of defining common values and expectations around behaviour. This needs to be a community-led activity: given recent events, we don't feel that TPF/CAT is currently fit for a leadership role in this, but we would absolutely want your participation.

In volunteer communities such as ours, leadership is about doing the hard work of building consensus, not imposing your will on the rest of us. Leadership should be a service we provide to our communities.

Signed

Andreas König, Chief PAUSE Admin, White Camel award recipient
Andrew Shitov, conference organiser, White Camel award recipient
Ask Bjoern-Hansen, Perl NOC, runs perl.org, White Camel award recipient
Chris Prather, Admin for irc.perl.org, White Camel award recipient
Dave Cross, Perl trainer, regular speaker, author, Facebook group admin, White Camel award recipient
Kenichi Ishigaki, CPANTS Admin, PAUSE Admin
Neil Bowers, PAUSE Admin, event organiser, PSC member, White Camel award recipient
Olaf Alders, MetaCPAN founder and project lead
Philippe Bruhat, longtime event organiser, White Camel award recipient
Robert Spier, Perl NOC, runs perl.org/pm.org , White Camel award recipient
Thomas Klausner, event organiser, CPANTS Founder, White Camel award recipient
Tim Bunce, founder of the Module List, PAUSE Admin Emeritus, author of DBI, White Camel award recipient

Kent Fredric's CPAN distributions are available for adoption

As most of you are probably aware, Kent Fredric sadly passed away earlier this year: notice from his family, on Facebook.

Kent was a prolific contributor to CPAN and Perl. He released more than 150 distributions of his own to CPAN, but also helped countless other authors and distributions, with bug reports, puil requests, and more.

When a CPAN author dies, their indexing permissions are dropped from PAUSE, and where they had the first-come permission, that will be passed to the pseudo-user ADOPTME. This flags the distribution as being available for adoption.

So as of now, all of Kent's distributions are available for adoption.

Opt-in your CPAN repos for Hacktoberfest

If you haven't heard, Hacktoberfest has now become opt-in, to reduce the number of spammy, or pointless, pull requests that people were doing, to get the t-shirt. In this post I'll describe how to opt your repos in, how to find opted-in repos, and why your repo might not be turning up in searches.

So if you've got repos with issues that you'd be happy to receive pull requests on, add the topic hacktoberfest, and make sure that your repo turns up in searches.