blogs.perl.org

A meeting with full attendance.

• We caught up with new issues and pull requests without finding any new release blockers.
• We went over the state of the perldeprecation and perlexperiment POD pages. We found that perlexperiment does not yet reflect the change in direction regarding smartmatch. Other than that we saw nothing to do.
• We went over our options regarding readline again at length. We concluded that we are not yet sure about the big across-the-board change to I/O functions, and are definitely too far into the release cycle to undertake a fishing expedition. But we don’t want to leave this problem entirely unaddressed during this cycle, and the change proposed by Tony Cook is a strict improvement, even if only a minimal one. So we decided to ship it, possibly with a slightly different implementation that we may suggest.

[P5P posting of this summary]

Re-creating CVE-2024-56406 using docker container with affected Perl versions.
Please check out the link below for more information.
https://theweeklychallenge.org/blog/cve-2024-56406

Over the past year, I’ve been self-studying XS and have now decided to share my learning journey through a series of blog posts. This first post introduces the fundamentals of creating an perl object from XS.

(apologies for "promoting"(?) Perl obfuscation...)

Today I won a gift card at an in-office meeting with the following code. Challenge: print the numbers 1-100 in the most incomprehensible, inefficient way. My entry, edited for brevity:

#!/usr/bin/env perl
use v5.16;
splice @_, @_, -1, ++$_;
splice @_, @_, -1, ++$_;
splice @_, @_, -1, ++$_;
splice @_, @_, -1, ++$_;
splice @_, @_, -1, ++$_;
# plus 95 more of this
say join $/, @_;

Thinking about it more this evening, I came up with

$SIG {__DIE__} = sub { $_ = (pop)+0; chomp; $_%6?say:exit};
{ select undef,undef,undef,1; eval { die time-$^T }; redo; }

(where 6 instead of 101 so I don't have to wait 100 seconds (and to be honest I'm not sure if there'll be rounding errors)).

Wonder if any obfuscators could come up with better (the less inefficient, incomprehensible the better).

We were all present.

• CVE-2024-56406 is published and has been addressed by new point releases. Please upgrade or patch your perl promptly if affected. We thank Steve Hay, Andreas König and Stig Palmquist for doing the heavy lifting, as well as Nathan Mills for discovering the problem, and Karl Williams for providing the fix. We re-/learned a number of old and new lessons about the handling of security issues, which we will write up as new process for the PSC, the Perl Security Team, and the CPANSec group, to be jointly reviewed and agreed at the looming PTS.

• We started winnowing this release cycle’s pull requests for potential release blockers. We briefly reviewed all 72 pull requests and identified 11 of interest for a closer look.

• We reviewed the 2 new issues filed since last week for release blocker potential and put one of them on our list for closer review. We then started a closer examination of the 20 issues we identified as candidate blockers. We got through 5 issues, none of which we considered blockers.

[P5P posting of this summary]

Perl Toolchain Summit 2025, my first time, thanks to the organisers.
Here is my event report: https://theweeklychallenge.org/blog/pts-2025

I wrote very elliptically about this warning and received some helpful comments with the standard advice about how to proceed when encountering it. Except unfortunately that advice will be of no use when you encounter this warning.

Namely I should have been less cute about it and made it clear that I was specifically talking about a warning about a wide character “in substitution”. How can a s/// even possibly trigger a wide character warning, you ask? Beats me, to be entirely honest, even now, but: if you have a use locale somewhere, it turns out that it can. Because defeating that is what fixed the warning I was getting:

Control. That’s what we all desire and very rarely acquire. The natural restlessness that occurs when you watch one of your offspring flicking from one movie title to the next, barely glancing at the summary before rejecting it, is one of the reasons I don’t like family movie night. My daughter’s grip on the remote is as strong as her decision making skills are weak; I struggle silently to hold back any outburst that would expose my failing parenting abilities once again. I have to distract myself with thoughts of the good old days when the TV had only 4 channels and Teletext was the closest thing to internet. Desiring such regression is now getting much of a habit for me. But we change what we can, accept what we can’t and trust, often foolishly, that those blessed with control do the best for all of us. Ah, look. Another teen fantasy horror romance movie. Thanks a heap, Netflix.

Herewith V 1.24

Cheers

Map::Tube now supports Unicode character in station names.
Please check out the link below for more information.
https://theweeklychallenge.org/blog/map-tube-unicode

All three of us attended. Other than administrivia we talked about formally documenting our supported platforms, and we intend to start a discussion on the mailing list about this soon. This is also a topic for the upcoming Perl Toolchain Summit.

[P5P posting of this summary]

In the last months of the previous century, I had to learn Perl to be able to teach it to professionals. It was my 28th language to use, but still took two years to understand deeply. As experienced assembler and C programmer, I was astound how much more of my ideas I could achieve with this new Swiss army knife in my hands. I fell in love with Perl.

Of course, the only way to learn a programming language well, is to use it for a larger project. So, I started to re-code the business shell scripts and websites to Perl. Part of it was sending automated emails to colleagues.

Your phase in life is probably different, but for my personal feeling it was not too long ago; for Internet's lifespan, the year 2000 is ancient history. The first spec for MIME headers in email were just 8 years old at the time, and many email features were still evolving.

Die Hochschule der Bayerischen Wirtschaft unterstützt den Perl Workshop 2025 in München.

Wir freuen uns über die Unterstützung durch die HDBW!

Von der bayerischen Wirtschaft, mit der bayerischen Wirtschaft, für die
bayerische Wirtschaft: Die Hochschule der Bayerischen Wirtschaft (HDBW) ist
eine private, staatlich anerkannte Hochschule für angewandte
Wissenschaften - mit Fokus auf Wirtschaft, Technik und Digitalisierung. An der 2012 gegründeten HDBW mit Sitz in
München-Riem studieren derzeit knapp 500 Studierende.

Couple of experimental features added to Map::Tube.
Please check out the link below for more information.
https://theweeklychallenge.org/blog/map-tube-experimental

This announcement comes a bit late in the year, but the preparations for the next Perl Toolchain Summit have been going on for several months now. Today I am proud to announce that the 15th Perl Toolchain Summit will be held in Leipzig, Germany, from Thursday May 1st till Sunday May 4th, 2025.

This post is brought to you by Deriv, a Gold Sponsor of the Perl Toolchain Summit 2024.

For 25 years, Deriv has been committed to making online trading accessible to anyone, anywhere. Trusted by over 2.5 million traders worldwide, the company offers an expansive range of trade types and boasts over 200 assets across popular markets on its award-winning, intuitive trading platforms. With a workforce of more than 1,400 people globally, Deriv has cultivated an environment that celebrates achievements, encourages professional growth, and fosters talent development which reflects in its Platinum accreditation by Investors in People.

Cellgraph 0.7 is out. (I introduced it here and there.) And I will tell you about the great new features in the next paragraph and how it helps you to play with logical structures and deepen your understanding of them. But first please let me mention the why!

Originally published at dev.to

In a previous blog post, I explored the modern way to write CGI scripts using frameworks like Mojolicious. But as pointed out in comments, despite the many benefits, there is one critical problem: when you actually need to deploy to a regular CGI server, where the scripts will be loaded each time and not persisted, frameworks designed for persistent applications add lots of overhead to each request.

CGI scripts have historically been written using the CGI module (or even more ancient libraries). But this module is bulky, crufty, and has serious design issues that led to it being removed from Perl core.

Find out all about CVE and how we deal with it in Perl.
Please checkout the post for more information:
https://theweeklychallenge.org/blog/cve-in-perl

Lots has been going on. All of us showed up, though Aristotle had to join late and Philippe had to leave early, so the meeting was short but productive:

• We continued with the potential release blocker issue review and finished going over all 49 issues remaining at this time, of which we identified 11 of interest. There are now still 72 pull requests to review.
• We agreed to include the new Perl logo in the next release, but don’t yet know exactly how and where. That should be sorted out on p5p, and we will kick that off soon.
• We went over the latest point release news, where everything is finally on track. It is coming very soon.

[P5P posting of this summary]

I just needed a few rows of UUIDs in a column of a spreadsheet, more for esthetics than anything else. uuidgen to the rescue.

At the time I didn't realize that uuidgen natively supports outputting multiple ids like so

uuidgen -C 8

The truly lazy path would have been to read the fine uuidgen manual.

Alas, supposing I needed to make multiple calls to uuidgen, I went with a Perl one-liner with a loop, as I couldn't recall the Bash loop syntax.

Here comes the laziness... I I didn't want to write something like this:

perl -e 'print `uuidgen` for @{[1..5]}';

I'm not so found of of perl's de-reference syntax these days, also that array reference/range was giving "the ick" as my kids would say. I needed something lazier, cleaner. I wondered if there were any default/exported arrays available to me that don't have too many elements to them.... Ah, I know!