#cpan — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #cpan, aggregated by home.social.
-
I've uploaded a prototype module for generating and parsing metadata about software #AI and automation policies, based on ideas from the #Perl Toolchain Summit in April.
The idea is to have machine-readavle information about how code is generated, what kind of automated contributions are handled are allowed, and what kind of automation the maintainers of a project use.
There's a draft spec at https://github.com/CPAN-Security/cpan-metadata-v3/blob/main/automation-policy.md but it's already out-of-sync with the Perl code.
Ideas and feedback would be appreciated.
https://metacpan.org/release/RRWO/Dist-AutomationPolicy-v0.1.0
-
I've uploaded a prototype module for generating and parsing metadata about software #AI and automation policies, based on ideas from the #Perl Toolchain Summit in April.
The idea is to have machine-readavle information about how code is generated, what kind of automated contributions are handled are allowed, and what kind of automation the maintainers of a project use.
There's a draft spec at https://github.com/CPAN-Security/cpan-metadata-v3/blob/main/automation-policy.md but it's already out-of-sync with the Perl code.
Ideas and feedback would be appreciated.
https://metacpan.org/release/RRWO/Dist-AutomationPolicy-v0.1.0
-
I've uploaded a prototype module for generating and parsing metadata about software #AI and automation policies, based on ideas from the #Perl Toolchain Summit in April.
The idea is to have machine-readavle information about how code is generated, what kind of automated contributions are handled are allowed, and what kind of automation the maintainers of a project use.
There's a draft spec at https://github.com/CPAN-Security/cpan-metadata-v3/blob/main/automation-policy.md but it's already out-of-sync with the Perl code.
Ideas and feedback would be appreciated.
https://metacpan.org/release/RRWO/Dist-AutomationPolicy-v0.1.0
-
I've uploaded a prototype module for generating and parsing metadata about software #AI and automation policies, based on ideas from the #Perl Toolchain Summit in April.
The idea is to have machine-readavle information about how code is generated, what kind of automated contributions are handled are allowed, and what kind of automation the maintainers of a project use.
There's a draft spec at https://github.com/CPAN-Security/cpan-metadata-v3/blob/main/automation-policy.md but it's already out-of-sync with the Perl code.
Ideas and feedback would be appreciated.
https://metacpan.org/release/RRWO/Dist-AutomationPolicy-v0.1.0
-
I've uploaded a prototype module for generating and parsing metadata about software #AI and automation policies, based on ideas from the #Perl Toolchain Summit in April.
The idea is to have machine-readavle information about how code is generated, what kind of automated contributions are handled are allowed, and what kind of automation the maintainers of a project use.
There's a draft spec at https://github.com/CPAN-Security/cpan-metadata-v3/blob/main/automation-policy.md but it's already out-of-sync with the Perl code.
Ideas and feedback would be appreciated.
https://metacpan.org/release/RRWO/Dist-AutomationPolicy-v0.1.0
-
Nope. Perl's built-in rand is seeded by 32-bits. The size of the internal state doesn't matter.
By making several requests to get session IDs, one can deduce the internal state of rand.
The multiplier does nothing to improve the security. Ultimately rand is just based in 32-bits.
-
Nope. Perl's built-in rand is seeded by 32-bits. The size of the internal state doesn't matter.
By making several requests to get session IDs, one can deduce the internal state of rand.
The multiplier does nothing to improve the security. Ultimately rand is just based in 32-bits.
-
Nope. Perl's built-in rand is seeded by 32-bits. The size of the internal state doesn't matter.
By making several requests to get session IDs, one can deduce the internal state of rand.
The multiplier does nothing to improve the security. Ultimately rand is just based in 32-bits.
-
Nope. Perl's built-in rand is seeded by 32-bits. The size of the internal state doesn't matter.
By making several requests to get session IDs, one can deduce the internal state of rand.
The multiplier does nothing to improve the security. Ultimately rand is just based in 32-bits.
-
Nope. Perl's built-in rand is seeded by 32-bits. The size of the internal state doesn't matter.
By making several requests to get session IDs, one can deduce the internal state of rand.
The multiplier does nothing to improve the security. Ultimately rand is just based in 32-bits.
-
@offseq Wow, the details are pretty wrong here.
The session ID generation relies on an MD5 hash seeded with the built-in rand() function, which is seeded with predictable 32-bit values derived from process ID, epoch time, and object reference address.
- Perl's built-in PRNG has a 48-bit internal state and is seeded with 48 bits, not 32 bits. Edit: See below. Perl internally seeds its PRNG with 32 bits from /dev/urandom.
- The code in WebDyne::Session does not seed the PRNG explicitly.
- The value passed to rand() is converted to a double-precision floating point value and acts as an upper bound on the generated number. It is not a seed.
- WebDyne::Session effectively generates this bound as
(process_id * 10_000_000_000.0 + unix_time()) * 10. The object address plays no part in this calculation. (It tries to, but the code is buggy and always multiplies by 10 instead.)
This predictability makes the session IDs insecure and potentially guessable by attackers, risking unauthorized access.
Yes. The generated session IDs are effectively something like
md5_hex("2.84319174058601e+16").The vulnerability affects versions through 2. 075 and does not apply to versions 1. 042 and earlier, which are distributed separately.
Incorrect. The vulnerability affects all versions of WebDyne::Session. The only difference is that in versions before 2.0, the "multiply by 10" code wasn't there, so the upper bound on generated random numbers was
process_id * 10_000_000_000.0 + unix_time(). Everything else (md5_hex(), rand(), etc) was exactly the same. -
@offseq Wow, the details are pretty wrong here.
The session ID generation relies on an MD5 hash seeded with the built-in rand() function, which is seeded with predictable 32-bit values derived from process ID, epoch time, and object reference address.
- Perl's built-in PRNG has a 48-bit internal state and is seeded with 48 bits, not 32 bits. Edit: See below. Perl internally seeds its PRNG with 32 bits from /dev/urandom.
- The code in WebDyne::Session does not seed the PRNG explicitly.
- The value passed to rand() is converted to a double-precision floating point value and acts as an upper bound on the generated number. It is not a seed.
- WebDyne::Session effectively generates this bound as
(process_id * 10_000_000_000.0 + unix_time()) * 10. The object address plays no part in this calculation. (It tries to, but the code is buggy and always multiplies by 10 instead.)
This predictability makes the session IDs insecure and potentially guessable by attackers, risking unauthorized access.
Yes. The generated session IDs are effectively something like
md5_hex("2.84319174058601e+16").The vulnerability affects versions through 2. 075 and does not apply to versions 1. 042 and earlier, which are distributed separately.
Incorrect. The vulnerability affects all versions of WebDyne::Session. The only difference is that in versions before 2.0, the "multiply by 10" code wasn't there, so the upper bound on generated random numbers was
process_id * 10_000_000_000.0 + unix_time(). Everything else (md5_hex(), rand(), etc) was exactly the same. -
@offseq Wow, the details are pretty wrong here.
The session ID generation relies on an MD5 hash seeded with the built-in rand() function, which is seeded with predictable 32-bit values derived from process ID, epoch time, and object reference address.
- Perl's built-in PRNG has a 48-bit internal state and is seeded with 48 bits, not 32 bits. Edit: See below. Perl internally seeds its PRNG with 32 bits from /dev/urandom.
- The code in WebDyne::Session does not seed the PRNG explicitly.
- The value passed to rand() is converted to a double-precision floating point value and acts as an upper bound on the generated number. It is not a seed.
- WebDyne::Session effectively generates this bound as
(process_id * 10_000_000_000.0 + unix_time()) * 10. The object address plays no part in this calculation. (It tries to, but the code is buggy and always multiplies by 10 instead.)
This predictability makes the session IDs insecure and potentially guessable by attackers, risking unauthorized access.
Yes. The generated session IDs are effectively something like
md5_hex("2.84319174058601e+16").The vulnerability affects versions through 2. 075 and does not apply to versions 1. 042 and earlier, which are distributed separately.
Incorrect. The vulnerability affects all versions of WebDyne::Session. The only difference is that in versions before 2.0, the "multiply by 10" code wasn't there, so the upper bound on generated random numbers was
process_id * 10_000_000_000.0 + unix_time(). Everything else (md5_hex(), rand(), etc) was exactly the same. -
@offseq Wow, the details are pretty wrong here.
The session ID generation relies on an MD5 hash seeded with the built-in rand() function, which is seeded with predictable 32-bit values derived from process ID, epoch time, and object reference address.
- Perl's built-in PRNG has a 48-bit internal state and is seeded with 48 bits, not 32 bits. Edit: See below. Perl internally seeds its PRNG with 32 bits from /dev/urandom.
- The code in WebDyne::Session does not seed the PRNG explicitly.
- The value passed to rand() is converted to a double-precision floating point value and acts as an upper bound on the generated number. It is not a seed.
- WebDyne::Session effectively generates this bound as
(process_id * 10_000_000_000.0 + unix_time()) * 10. The object address plays no part in this calculation. (It tries to, but the code is buggy and always multiplies by 10 instead.)
This predictability makes the session IDs insecure and potentially guessable by attackers, risking unauthorized access.
Yes. The generated session IDs are effectively something like
md5_hex("2.84319174058601e+16").The vulnerability affects versions through 2. 075 and does not apply to versions 1. 042 and earlier, which are distributed separately.
Incorrect. The vulnerability affects all versions of WebDyne::Session. The only difference is that in versions before 2.0, the "multiply by 10" code wasn't there, so the upper bound on generated random numbers was
process_id * 10_000_000_000.0 + unix_time(). Everything else (md5_hex(), rand(), etc) was exactly the same. -
@offseq Wow, the details are pretty wrong here.
The session ID generation relies on an MD5 hash seeded with the built-in rand() function, which is seeded with predictable 32-bit values derived from process ID, epoch time, and object reference address.
- Perl's built-in PRNG has a 48-bit internal state and is seeded with 48 bits, not 32 bits. Edit: See below. Perl internally seeds its PRNG with 32 bits from /dev/urandom.
- The code in WebDyne::Session does not seed the PRNG explicitly.
- The value passed to rand() is converted to a double-precision floating point value and acts as an upper bound on the generated number. It is not a seed.
- WebDyne::Session effectively generates this bound as
(process_id * 10_000_000_000.0 + unix_time()) * 10. The object address plays no part in this calculation. (It tries to, but the code is buggy and always multiplies by 10 instead.)
This predictability makes the session IDs insecure and potentially guessable by attackers, risking unauthorized access.
Yes. The generated session IDs are effectively something like
md5_hex("2.84319174058601e+16").The vulnerability affects versions through 2. 075 and does not apply to versions 1. 042 and earlier, which are distributed separately.
Incorrect. The vulnerability affects all versions of WebDyne::Session. The only difference is that in versions before 2.0, the "multiply by 10" code wasn't there, so the upper bound on generated random numbers was
process_id * 10_000_000_000.0 + unix_time(). Everything else (md5_hex(), rand(), etc) was exactly the same. -
I've uploaded a new #Perl Critic policy that checks code for naive random data generation from a hash over not-so-randonm sources like rand(), system time, pid such as
md5_hex( rand . time . $$ . ++$counter )
This anti-pattern is used in many places, and has been the reason for several CVEs.
https://metacpan.org/release/RRWO/Perl-Critic-Policy-Security-RandBytesFromHash-v0.1.0
As a scholarly aside, I am curious as to who first came up this anti-pattern.
-
I've uploaded a new #Perl Critic policy that checks code for naive random data generation from a hash over not-so-randonm sources like rand(), system time, pid such as
md5_hex( rand . time . $$ . ++$counter )
This anti-pattern is used in many places, and has been the reason for several CVEs.
https://metacpan.org/release/RRWO/Perl-Critic-Policy-Security-RandBytesFromHash-v0.1.0
As a scholarly aside, I am curious as to who first came up this anti-pattern.
-
I've uploaded a new #Perl Critic policy that checks code for naive random data generation from a hash over not-so-randonm sources like rand(), system time, pid such as
md5_hex( rand . time . $$ . ++$counter )
This anti-pattern is used in many places, and has been the reason for several CVEs.
https://metacpan.org/release/RRWO/Perl-Critic-Policy-Security-RandBytesFromHash-v0.1.0
As a scholarly aside, I am curious as to who first came up this anti-pattern.
-
I've uploaded a new #Perl Critic policy that checks code for naive random data generation from a hash over not-so-randonm sources like rand(), system time, pid such as
md5_hex( rand . time . $$ . ++$counter )
This anti-pattern is used in many places, and has been the reason for several CVEs.
https://metacpan.org/release/RRWO/Perl-Critic-Policy-Security-RandBytesFromHash-v0.1.0
As a scholarly aside, I am curious as to who first came up this anti-pattern.
-
I've uploaded a new #Perl Critic policy that checks code for naive random data generation from a hash over not-so-randonm sources like rand(), system time, pid such as
md5_hex( rand . time . $$ . ++$counter )
This anti-pattern is used in many places, and has been the reason for several CVEs.
https://metacpan.org/release/RRWO/Perl-Critic-Policy-Security-RandBytesFromHash-v0.1.0
As a scholarly aside, I am curious as to who first came up this anti-pattern.
-
Gonna build a #CPAN testing VM with #DragonflyBSD. Any gotchas that my fedihomies think that a seasoned Unixhead should know about?
-
Gonna build a #CPAN testing VM with #DragonflyBSD. Any gotchas that my fedihomies think that a seasoned Unixhead should know about?
-
Gonna build a #CPAN testing VM with #DragonflyBSD. Any gotchas that my fedihomies think that a seasoned Unixhead should know about?
-
Gonna build a #CPAN testing VM with #DragonflyBSD. Any gotchas that my fedihomies think that a seasoned Unixhead should know about?
-
Gonna build a #CPAN testing VM with #DragonflyBSD. Any gotchas that my fedihomies think that a seasoned Unixhead should know about?
-
A few days ago I tried to build some perls with 32 bit ints and 128 bit floats. Cue test failures. Today I tried again, and this time I read my notes from last time on how to do it, and it Just Works.
Yay past me!
(the #BigInt modules bundled with some versions of perl don't like that combination of data sizes; the solution is to ignore their test failures, install anyway, and then upgrade to the latest versions from the #CPAN)
-
A few days ago I tried to build some perls with 32 bit ints and 128 bit floats. Cue test failures. Today I tried again, and this time I read my notes from last time on how to do it, and it Just Works.
Yay past me!
(the #BigInt modules bundled with some versions of perl don't like that combination of data sizes; the solution is to ignore their test failures, install anyway, and then upgrade to the latest versions from the #CPAN)
-
A few days ago I tried to build some perls with 32 bit ints and 128 bit floats. Cue test failures. Today I tried again, and this time I read my notes from last time on how to do it, and it Just Works.
Yay past me!
(the #BigInt modules bundled with some versions of perl don't like that combination of data sizes; the solution is to ignore their test failures, install anyway, and then upgrade to the latest versions from the #CPAN)
-
A few days ago I tried to build some perls with 32 bit ints and 128 bit floats. Cue test failures. Today I tried again, and this time I read my notes from last time on how to do it, and it Just Works.
Yay past me!
(the #BigInt modules bundled with some versions of perl don't like that combination of data sizes; the solution is to ignore their test failures, install anyway, and then upgrade to the latest versions from the #CPAN)
-
A few days ago I tried to build some perls with 32 bit ints and 128 bit floats. Cue test failures. Today I tried again, and this time I read my notes from last time on how to do it, and it Just Works.
Yay past me!
(the #BigInt modules bundled with some versions of perl don't like that combination of data sizes; the solution is to ignore their test failures, install anyway, and then upgrade to the latest versions from the #CPAN)
-
I have released a new version of
App::CpanDak, my sub-class ofApp::cpanminus/cpanmwith "some sort of distroprefs"
You could already apply patches, skip tests, and set environment variables, to any distribution you installed; now you can augment version specifications.Some::Fancy::Libraryhas released a new version 1.3.4 that doesn't install cleanly? add aSome-Fancy-Library.options.ymlwith:
and that version will be skipped, even if pulled in via indirect dependencies!--- add_version_spec: "!= 1.3.4"
https://metacpan.org/release/DAKKAR/App-CpanDak-0.1.0
#perl #cpan -
I have released a new version of
App::CpanDak, my sub-class ofApp::cpanminus/cpanmwith "some sort of distroprefs"
You could already apply patches, skip tests, and set environment variables, to any distribution you installed; now you can augment version specifications.Some::Fancy::Libraryhas released a new version 1.3.4 that doesn't install cleanly? add aSome-Fancy-Library.options.ymlwith:
and that version will be skipped, even if pulled in via indirect dependencies!--- add_version_spec: "!= 1.3.4"
https://metacpan.org/release/DAKKAR/App-CpanDak-0.1.0
#perl #cpan -
I have released a new version of
App::CpanDak, my sub-class ofApp::cpanminus/cpanmwith "some sort of distroprefs"
You could already apply patches, skip tests, and set environment variables, to any distribution you installed; now you can augment version specifications.Some::Fancy::Libraryhas released a new version 1.3.4 that doesn't install cleanly? add aSome-Fancy-Library.options.ymlwith:
and that version will be skipped, even if pulled in via indirect dependencies!--- add_version_spec: "!= 1.3.4"
https://metacpan.org/release/DAKKAR/App-CpanDak-0.1.0
#perl #cpan -
I have released a new version of
App::CpanDak, my sub-class ofApp::cpanminus/cpanmwith "some sort of distroprefs"
You could already apply patches, skip tests, and set environment variables, to any distribution you installed; now you can augment version specifications.Some::Fancy::Libraryhas released a new version 1.3.4 that doesn't install cleanly? add aSome-Fancy-Library.options.ymlwith:
and that version will be skipped, even if pulled in via indirect dependencies!--- add_version_spec: "!= 1.3.4"
https://metacpan.org/release/DAKKAR/App-CpanDak-0.1.0
#perl #cpan -
I have released a new version of
App::CpanDak, my sub-class ofApp::cpanminus/cpanmwith "some sort of distroprefs"
You could already apply patches, skip tests, and set environment variables, to any distribution you installed; now you can augment version specifications.Some::Fancy::Libraryhas released a new version 1.3.4 that doesn't install cleanly? add aSome-Fancy-Library.options.ymlwith:
and that version will be skipped, even if pulled in via indirect dependencies!--- add_version_spec: "!= 1.3.4"
https://metacpan.org/release/DAKKAR/App-CpanDak-0.1.0
#perl #cpan