PAUSE Projects at PTS 2019
Every year at the Perl Toolchain Summit (PTS), there is some work done on PAUSE, but 2019 was a vintage year. In this blog post we'll remind you exactly what PAUSE is and does, and then take you through the major bits of PAUSE work done.
This blog post is brought to you by ZipRecruiter, who were a Gold sponsor for the PTS. More information about ZipRecruiter is provided at the end of this article.
What is PAUSE?
PAUSE is the gateway to CPAN: it is the way that Perl authors upload their code. Anyone can register a PAUSE account, and can then upload distributions (tarballs) that contain one or more modules. Tarballs uploaded to PAUSE are copied to the CPAN Master site, from where they're mirrored around the world. PAUSE also generates a number of indices, which provide information about the modules, tarballs, and users.
All of this information is then used by other services that make up the CPAN ecosystem, such as MetaCPAN, CPAN Testers, CPANTS, etc.
PAUSE's behaviour is documented in the PAUSE Operating Model (POM), which was created during and after the 2017 PTS in Lyon.
If you upload a new module to PAUSE, you are given an indexing permission for the associated package name. This means that your uploads will be added to the CPAN Index, so that they will show up in MetaCPAN searches, for example. As the originator of the namespace, you can also grant indexing permissions to other people, which means their uploads of the module will also be considered for inclusion in the Index. See the POM for more on indexing permissions.
Internally, PAUSE manages indexing permissions on a per-package basis. In the early days of PAUSE and CPAN this was fine, as many distributions only contained a small number of packages. But these days distributions can contain dozens of packages, and larger projects might have many contributors. Managing indexing permissions package by package is tedious in these situations, so Kenichi Ishigaki changed the PAUSE web interface so that by default now you manage permissions on a per-distribution basis. You can still do things package-by-package as well.
For the first 20 years or so, indexing permissions were case sensitive. This caused problems on systems with case insensitive filesystems, like MacOS and Windows. Over the last few years we've been working towards case insensitive permissions. The last issue for this related to the case where an author changes the case of their own module. Rik Signes fixed this, as described in his blog post.
For the last three years, Neil Bowers has been working on resolving the historical cases. In 2016 there were about 350 such cases. During PTS 2019 the last 7 cases were resolved.
Giving up first-come permissions
If you have the first-come indexing permission on a package, you could previously just give up that permission. This could leave a package having no indexing permissions, which sometimes caused problems later on. When we were discussing the POM, the PAUSE admins realised that we should let a package get into the "no indexing permissions". So this year Kenichi Ishigaki changed this behaviour: if you drop the first-come permission on a package, it is given to the special ADOPTME pseudo-user.
This is a module that Rik Signes wrote to make it easy to test PAUSE with synthetic releases. This year he made it easier to create dummy releases from a few pieces of information. He also made it easier to add unexpected things into the metadata for the distribution. I looked into several bugs with Rik, and was impressed by how much easier this made things. Read more in Rik's blog post on Module::Faker.
PAUSE testsuite improvements
Rik Signes made a number of improvements to the testsuite and associated tools, particularly those parts that exercise the indexer. Several of us worked on indexing related bugs, and the tools made it much easier for us to work out exactly what was happening and why, and then add new tests to confirm when bogus behaviour had been corrected. Read more in Rik's blog post.
PAUSE has been in operation for more than 20 years. It's a complex beast, and it has slowly evolved over time. As a result it's not always easy to work out what's going on. To help with this, Rik put in place more structured logging.
Andreas König, Slaven Rezic, and Kenichi Ishigaki extended the letsencrypt certificate to map to both pause.perl.org and pause.cpan.org.
Lee Johnson ran a vulnerability scan, penetration test, and fuzzer against the main branch of PAUSE, and one of the main development branches. The most important issues found were fixed by Kenichi Ishigaki.
There are many different systems and services in the CPAN ecosystem. Many of them provide accounts, and have different mechanisms for authenticating you. But the one thing that all CPAN authors must have is a PAUSE account. Lee Johnson worked on making an OAuth2 provider. When this work is completed, it should make it easier for services to identify and authenticate users via PAUSE.
ZipRecruiter.com is a website where job seekers can find jobs all over the world, and employers can list their open positions. It was founded by four friends in 2010 who wanted to make life easier on both sides of the hiring table. With years of experience building sites with Perl, they put together their first prototype using DBIx::Class, Catalyst, and MySQL. Those same technologies have grown with them to support millions of users posting, finding, and applying to jobs today.
ZipRecruiter has over 100 developers, most of whom work in Perl on a regular basis. Some of them you'll recognise as long-time contributors to Perl and CPAN: EXODIST, FREW, GSHANK, MERLYN, MJD, JEFFOBER, INGY, DFARRELL, BLUEFEET, and more! ZipRecruiter continues to be built on open source, which is why they support developer communities through CPAN contributions, hosting LA.pm.org meetings, and financial support for events like the PTS.
Chad Granum (EXODIST), the lead developer for Test2 and a regular PTS attendee, is a senior developer at ZipRecruiter.