Perl Steering Council

Porters,

After a meeting around an actual physical table at the Perl Toolchain Summit last week, the three of us were back to our regular video calls. The call was longer than usual, as we delved into the code of CPAN.pm.

Release blockers for 5.038

We looked at the tickets we tagged “Release Blocker” last week, and made some decisions.

The following issues are NOT release blockers: - Path-Class (https://github.com/Perl/perl5/issues/20039): it’s been broken for the past 2 stable releases - App-ClusterSSH (https://github.com/Perl/perl5/issues/20376): already failing in 5.036, added comments in the ticket - XS-Parse-Keyword, Devel-Chitin, others (https://github.com/Perl/perl5/issues/20384): we should add a note to perldelta explaining the breaking change - Number-Format (https://github.com/Perl/perl5/issues/20571): it should be adopted to make a new release - Text-MicroMason (https://github.com/Perl/perl5/issues/21037): the tests depend on the exact error message (this is too fragile)

This last one is definitely a release blocker: - XML-PathScript (https://github.com/Perl/perl5/issues/21044): Rik will send an email to the list

Installing modules securily with Perl default install

As much as we want HTTPS support in core, we can’t have it for v5.38. However, we want a newly installed Perl + CPAN.pm to be secure by default. Currently this is not the case because HTTP::Tiny does not use SSL normally, and even when installed it does not set verify_SSL to true.

HTTP::Tiny should be secure by default (set verify_SSL to true, complain if there are no root CAs available).

CPAN.pm is a far more complex question because its code is a deep twisty maze of years of piled-up workarounds and legacy code (FTP by default?), and the question of “what should this do?” is far less clear-cut. More discussions will have to be had with more people who are deeper involved, to work out what would be best.

We should do this ASAP, as it is a release blocker.