Perl Toolchain Summit 2026 - Vienna

By Timothy Legge on

This year, I was once again honored to be invited to the Perl Toolchain Summit (PTS), held in Vienna. Following productive years in Lisbon and Leipzig, the CPAN Security Group (CPANSec) spent time discussing how to improve the security of the Perl and CPAN ecosystem.

As always, the magic of PTS lies in the hallway discussions and focused groups where we can work on complex problems that are nearly impossible to coordinate over email or GitHub alone.

CPANSec: Maturing our CNA Role

Since we established CPANSec as a CVE Numbering Authority (CNA) in 2025, our focus has shifted toward efficiency and sustainability. We have a small group working on finding and documenting vulnerabilities. We spent time in Vienna discussing:

  1. Reducing Time to CVE: We discussed how we can reduce the overhead required to issue CVEs without adversely affecting quality.
  2. Workflow Optimization: We worked on improving the disclosure process to ensure that security reports move from initial contact to a patched release as smoothly as possible.
  3. The Maintainer Human Element: A major takeaway this year was recognizing the impact security reports have on maintainers. We want to ensure that being "tapped" for a security fix is a supportive experience rather than a stressful burden on our volunteer community.

Crypt::OpenSSL::RSA: Restoring Functionality

Following the work Todd Rinaldo (toddr) and I did last year in Leipzig where we disabled PKCS1 padding to mitigate the Marvin attack, we revisited Crypt::OpenSSL::RSA.

Working together in Vienna, we were able to release a version that restores PKCS1 v1.5 padding specifically for signatures. This padding is no longer allowed for encryption but it remains vital for signature verification an it was great to finally close this loop and fix this issue.

Deep Dives and the "Bus Factor"

One of the highlights of PTS for me was when H. Merijn Brand (Tux) sat down with a small group of us to present metaconfig and Configure.

While the configuration process for Perl isn't something that changes frequently, it is complex. Merijn gave us a great overview of its importance and inner workings. Our hope is to improve the "bus factor" for this critical piece of the Perl build process, ensuring that more people in the community are equipped to maintain the core configuration logic across various platforms.

I also had the chance to sit in on several other great discussions:

  1. UTF-8: Karl Williamson shared deep technical insights into UTF-8 handling.
  2. Perl & AI: We discussed the emerging role of AI within the Perl community, both as a tool for development and the challenges it poses.
  3. Platform Support: Ensuring Perl continues to run flawlessly across the diverse landscape of modern (and ancient) operating systems.
  4. Paul Evan's update on features and changes coming to Perl.

As in past years, Paul provided both an entertaining and very informative description of things that could be coming to Perl in future releases.

Perl has not been standing still, it continues to grow and evolve, all without breaking backward compatibility.

Retiring the Old: The Deprecation of Module::Signature

Security is as much about moving forward as it is about patching the past. During PTS, we decided it was time to deprecate Module::Signature.

After reaching out to Audrey Tang, the original author, who approved the deprecation, we concluded that the module does not provide the expected security assurances required for a modern supply chain. It is time to retire it and shift our focus toward more robust, modern solutions for module integrity.

Organizers and Sponsors

A massive thank you to the organizers for another flawlessly executed PTS. The hospitality of Vienna and the focus provided by the venue allowed us to get an incredible amount of work done.

Finally, PTS simply wouldn't happen without the generous support of our sponsors. Their commitment to the "invisible" work of PTS is what makes it possible. It helps keep the Perl and CPAN ecosystem healthy, secure, and moving forward for everyone.

The Perl and Raku Foundation,
Grant Street Group,
Geizhals Preisvergleich,
Vienna.pm,
SUSE,
Trans-Formed Media LLC,
Ctrl O,
Simplelists,
Harald Joerg,
Michele Beltrame Sigmafin,
Laurent Boivin

Leave a comment

About Timothy Legge

user-pic FOSS developer who has been scratching various itches for many years.

More info »