Kenichi Ishigaki

In the past, it took two years to merge my first PAUSE on Plack branch into the master and three years to merge the next PAUSE on Mojolicious (actually, two years to deploy and another year to merge). Now the question was: how long would it take to merge the next big thing, multifactor authentication for PAUSE? Two years, three years, or maybe four years this time? I already had a two-year-old draft branch and initially wished to merge it this year. However, things went differently.

The first MFA branch requested that you send your authentication code only when posting essential data, such as uploading a distribution or editing your account. If you choose to enable MFA, you may need to update your tools to allow you to send an extra code; otherwise, you shouldn't have to take any action. I knew it was suboptimal. It would only protect people keen on security. However, it would be less likely to hinder people from uploading a new distribution. Considering that we may soon have to ask people to include SBOM metadata in their distributions, keeping it easy to upload could have a more positive value.

That said, the branch wouldn't help if we had to force all users to enable MFA at login time for some reason. I wanted to laugh the idea away as unfounded fear, but who knows? I wouldn't be able to implement such a significant change during a four-day PTS, and I couldn't tell when the day would come. So, I started a new experiment to get proof of the concept beforehand.

The only way I could think of at the time was to add a new PAUSE application that allows you to log in to PAUSE by posting your credentials and then an additional MFA code via web forms (instead of the current basic authentication mechanism). If I mount it on a different path from the current PAUSE, you can choose which one to use, and it would be easy for us to drop one when necessary. However, it also means I must update two places whenever I make a change. I couldn't tell if it would be worth the cost, but one thing was sure. If we decide to mount a new application on a different path, existing tools, such as uploaders and deleters, will not work with the new app. And if we didn't need to keep compatibility with those tools, we would be able to change the app more boldly: we could use path information to determine a route (instead of an ACTION query parameter); we could drop pause99_ prefix all the form fields currently had; we could even go further to implement the design idea Babs Veloso gave us during the PTS 2018 in Oslo (You might remember my presentation at PerlCon 2019 in Riga).

I didn't have time to implement everything. I barely managed to make the new app work. It had almost no tests, and its session data was still in a signed cookie, not in the database. I asked Ricardo Signes and Matthew Horsfall for a review on the day I left home for the PTS, not knowing they wouldn't be attending this year.

I usually fly to the nearest airport to the venue, but it was too expensive to fly from Tokyo to Leipzig. To minimize the travel cost, I replaced the last leg with a train trip and left home earlier to avoid the Japanese holiday week. I stayed two nights in Frankfurt and arrived in Leipzig by train on the day before the PTS. However, I was still living as if I were in a different time zone. I couldn't stay awake and failed to attend the welcoming pre-dinner.

Day 1 started with a stand-up session. Missing a few people, I announced I had a new MFA branch. After the stand-up, however, Andreas König expressed his discontent about MFA over his breakfast. The only option for me was to retreat for a while.

So, instead of improving the MFA branch, I began reviewing all the open issues and pull requests. I asked Andreas to merge some obvious requests. One of them was by Thibault Duponchelle. He showed me his version of PAUSE on Docker branch and asked me how to ignore a git issue. I remembered I had a workaround, but it was only on my local branch (I made it a pull request on day 3). I also discussed a Local namespace issue with him.

Meanwhile, some of the CPAN security team came to us to see how the new MFA branch worked. I explained the current status and spent the rest of the day converting tests for the new app.

On day 2, I updated Mojolicious::Plugin::WithCSRFProtection and asked Andreas to merge a few more easy pull requests, including the one about the Local namespace. I made several more requests, but to my regret, I had to ask Andreas to revert some of them after the PTS. We also discussed an email address issue Andreas put the highest priority on this year. There was already a pull request by Ricardo, but it was part of a significant refactoring, and we didn't want to merge it when he was absent. Instead, I suggested a minimum fix to omit the display name part, which may be less polite but should cause fewer problems.

In addition, I enjoyed a presentation on Perl 5.42 by Paul Evans. I also joined a discussion about "abandoned" CPAN distributions, but this one didn't go well. Learning the number of inactivated accounts also depressed me. I attended a guided city tour for fresh air. Daniel Böhmer, the local organizer, showed us some interesting spots that I wouldn't visit without him. Vielen Dank.

At the social dinner after the tour, I asked Timothy Legge (of the security team) a lot of questions about MFA. Thanks to his kind answers, we got a clearer picture of the issue.

Although I felt the atmosphere had changed, I continued to fix minor issues on day 3. As only two members of the PAUSE team presented this year, I also reviewed the issues and requests of other team members and asked Andreas to merge a few, with or without slight modifications.

I also had a conversation about the EU Cyber Resilience Act with Salve Nilsen. Breno Oliveira gave me some ideas for the MFA branch as well.

Now that I had fixed what I thought I could do this year, I applied the same changes I made this year to the MFA branch on day 4. I also discussed what I should do the next time with Andreas and some of the security team. Stig Palmquist provided us with several ideas and suggested that we should let users use a longer password before proceeding with anything else. We also discussed other security issues. Some of us favored the idea of pinning down all the CPAN modules PAUSE uses (by Carton or Carmel), but Andreas rejected it. I made a pull request to update the security database entry on CPAN::Checksums while trying Test::CVE.

Many thanks to Daniel Böhmer, Tina Müller, Breno Oliveira, Philippe Bruhat, and Laurent Boivin for organizing this event again and to our generous sponsors:

Monetary Sponsors

Booking.com, WebPros, CosmoShop, Datensegler, OpenCage, SUSE, Simplelists Ltd, Ctrl O Ltd, Findus Internet-OPAC, plusW GmbH

In-kind sponsors

Grant Street Group, Fastmail, shift2, Oleeo, Ferenc Erki

Community Sponsors

The Perl and Raku Foundation, Japan Perl Association, Harald Joerg, Alexandros Karelas (PerlModules.net), Matthew Persico, Michele Beltrame (Sigmafin), Rob Hall, Joel Roth, Richard Leach, Jonathan Kean, Richard Loveland, Bojan Ramsa.