home.social
Sign in Create account

#cpan — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #cpan, aggregated by home.social.

  1. "Mutant Rob" Robert Rothenberg @[email protected] ·

    I've uploaded a prototype module for generating and parsing metadata about software #AI and automation policies, based on ideas from the #Perl Toolchain Summit in April.

    The idea is to have machine-readavle information about how code is generated, what kind of automated contributions are handled are allowed, and what kind of automation the maintainers of a project use.

    There's a draft spec at github.com/CPAN-Security/cpan- but it's already out-of-sync with the Perl code.

    Ideas and feedback would be appreciated.

    metacpan.org/release/RRWO/Dist

    #CPAN

    #ai #perl #cpan
  2. "Mutant Rob" Robert Rothenberg @[email protected] ·

    I've uploaded a prototype module for generating and parsing metadata about software #AI and automation policies, based on ideas from the #Perl Toolchain Summit in April.

    The idea is to have machine-readavle information about how code is generated, what kind of automated contributions are handled are allowed, and what kind of automation the maintainers of a project use.

    There's a draft spec at github.com/CPAN-Security/cpan- but it's already out-of-sync with the Perl code.

    Ideas and feedback would be appreciated.

    metacpan.org/release/RRWO/Dist

    #CPAN

    #ai #perl #cpan
  3. "Mutant Rob" Robert Rothenberg @[email protected] ·

    I've uploaded a prototype module for generating and parsing metadata about software #AI and automation policies, based on ideas from the #Perl Toolchain Summit in April.

    The idea is to have machine-readavle information about how code is generated, what kind of automated contributions are handled are allowed, and what kind of automation the maintainers of a project use.

    There's a draft spec at github.com/CPAN-Security/cpan- but it's already out-of-sync with the Perl code.

    Ideas and feedback would be appreciated.

    metacpan.org/release/RRWO/Dist

    #CPAN

    #ai #perl #cpan
  4. "Mutant Rob" Robert Rothenberg @[email protected] ·

    I've uploaded a prototype module for generating and parsing metadata about software #AI and automation policies, based on ideas from the #Perl Toolchain Summit in April.

    The idea is to have machine-readavle information about how code is generated, what kind of automated contributions are handled are allowed, and what kind of automation the maintainers of a project use.

    There's a draft spec at github.com/CPAN-Security/cpan- but it's already out-of-sync with the Perl code.

    Ideas and feedback would be appreciated.

    metacpan.org/release/RRWO/Dist

    #CPAN

    #cpan #perl #ai
  5. "Mutant Rob" Robert Rothenberg @[email protected] ·

    I've uploaded a prototype module for generating and parsing metadata about software #AI and automation policies, based on ideas from the #Perl Toolchain Summit in April.

    The idea is to have machine-readavle information about how code is generated, what kind of automated contributions are handled are allowed, and what kind of automation the maintainers of a project use.

    There's a draft spec at github.com/CPAN-Security/cpan- but it's already out-of-sync with the Perl code.

    Ideas and feedback would be appreciated.

    metacpan.org/release/RRWO/Dist

    #CPAN

    #ai #perl #cpan
  6. "Mutant Rob" Robert Rothenberg @[email protected] ·

    @barubary @offseq

    Nope. Perl's built-in rand is seeded by 32-bits. The size of the internal state doesn't matter.

    By making several requests to get session IDs, one can deduce the internal state of rand.

    The multiplier does nothing to improve the security. Ultimately rand is just based in 32-bits.

    #perl #cpan #cve

    #perl #cpan #cve
  7. "Mutant Rob" Robert Rothenberg @[email protected] ·

    @barubary @offseq

    Nope. Perl's built-in rand is seeded by 32-bits. The size of the internal state doesn't matter.

    By making several requests to get session IDs, one can deduce the internal state of rand.

    The multiplier does nothing to improve the security. Ultimately rand is just based in 32-bits.

    #perl #cpan #cve

    #perl #cpan #cve
  8. "Mutant Rob" Robert Rothenberg @[email protected] ·

    @barubary @offseq

    Nope. Perl's built-in rand is seeded by 32-bits. The size of the internal state doesn't matter.

    By making several requests to get session IDs, one can deduce the internal state of rand.

    The multiplier does nothing to improve the security. Ultimately rand is just based in 32-bits.

    #perl #cpan #cve

    #perl #cpan #cve
  9. "Mutant Rob" Robert Rothenberg @[email protected] ·

    @barubary @offseq

    Nope. Perl's built-in rand is seeded by 32-bits. The size of the internal state doesn't matter.

    By making several requests to get session IDs, one can deduce the internal state of rand.

    The multiplier does nothing to improve the security. Ultimately rand is just based in 32-bits.

    #perl #cpan #cve

    #cve #cpan #perl
  10. "Mutant Rob" Robert Rothenberg @[email protected] ·

    @barubary @offseq

    Nope. Perl's built-in rand is seeded by 32-bits. The size of the internal state doesn't matter.

    By making several requests to get session IDs, one can deduce the internal state of rand.

    The multiplier does nothing to improve the security. Ultimately rand is just based in 32-bits.

    #perl #cpan #cve

    #perl #cpan #cve
  11. Oriel Jutty :hhHHHAAAH: @[email protected] ·

    @offseq Wow, the details are pretty wrong here.

    The session ID generation relies on an MD5 hash seeded with the built-in rand() function, which is seeded with predictable 32-bit values derived from process ID, epoch time, and object reference address.

    • Perl's built-in PRNG has a 48-bit internal state and is seeded with 48 bits, not 32 bits. Edit: See below. Perl internally seeds its PRNG with 32 bits from /dev/urandom.
    • The code in WebDyne::Session does not seed the PRNG explicitly.
    • The value passed to rand() is converted to a double-precision floating point value and acts as an upper bound on the generated number. It is not a seed.
    • WebDyne::Session effectively generates this bound as (process_id * 10_000_000_000.0 + unix_time()) * 10. The object address plays no part in this calculation. (It tries to, but the code is buggy and always multiplies by 10 instead.)

    This predictability makes the session IDs insecure and potentially guessable by attackers, risking unauthorized access.

    Yes. The generated session IDs are effectively something like md5_hex("2.84319174058601e+16").

    The vulnerability affects versions through 2. 075 and does not apply to versions 1. 042 and earlier, which are distributed separately.

    Incorrect. The vulnerability affects all versions of WebDyne::Session. The only difference is that in versions before 2.0, the "multiply by 10" code wasn't there, so the upper bound on generated random numbers was process_id * 10_000_000_000.0 + unix_time(). Everything else (md5_hex(), rand(), etc) was exactly the same.

    #perl #CPAN #cve

    #perl #cpan #cve
  12. Oriel Jutty :hhHHHAAAH: @[email protected] ·

    @offseq Wow, the details are pretty wrong here.

    The session ID generation relies on an MD5 hash seeded with the built-in rand() function, which is seeded with predictable 32-bit values derived from process ID, epoch time, and object reference address.

    • Perl's built-in PRNG has a 48-bit internal state and is seeded with 48 bits, not 32 bits. Edit: See below. Perl internally seeds its PRNG with 32 bits from /dev/urandom.
    • The code in WebDyne::Session does not seed the PRNG explicitly.
    • The value passed to rand() is converted to a double-precision floating point value and acts as an upper bound on the generated number. It is not a seed.
    • WebDyne::Session effectively generates this bound as (process_id * 10_000_000_000.0 + unix_time()) * 10. The object address plays no part in this calculation. (It tries to, but the code is buggy and always multiplies by 10 instead.)

    This predictability makes the session IDs insecure and potentially guessable by attackers, risking unauthorized access.

    Yes. The generated session IDs are effectively something like md5_hex("2.84319174058601e+16").

    The vulnerability affects versions through 2. 075 and does not apply to versions 1. 042 and earlier, which are distributed separately.

    Incorrect. The vulnerability affects all versions of WebDyne::Session. The only difference is that in versions before 2.0, the "multiply by 10" code wasn't there, so the upper bound on generated random numbers was process_id * 10_000_000_000.0 + unix_time(). Everything else (md5_hex(), rand(), etc) was exactly the same.

    #perl #CPAN #cve

    #perl #cpan #cve
  13. Oriel Jutty :hhHHHAAAH: @[email protected] ·

    @offseq Wow, the details are pretty wrong here.

    The session ID generation relies on an MD5 hash seeded with the built-in rand() function, which is seeded with predictable 32-bit values derived from process ID, epoch time, and object reference address.

    • Perl's built-in PRNG has a 48-bit internal state and is seeded with 48 bits, not 32 bits. Edit: See below. Perl internally seeds its PRNG with 32 bits from /dev/urandom.
    • The code in WebDyne::Session does not seed the PRNG explicitly.
    • The value passed to rand() is converted to a double-precision floating point value and acts as an upper bound on the generated number. It is not a seed.
    • WebDyne::Session effectively generates this bound as (process_id * 10_000_000_000.0 + unix_time()) * 10. The object address plays no part in this calculation. (It tries to, but the code is buggy and always multiplies by 10 instead.)

    This predictability makes the session IDs insecure and potentially guessable by attackers, risking unauthorized access.

    Yes. The generated session IDs are effectively something like md5_hex("2.84319174058601e+16").

    The vulnerability affects versions through 2. 075 and does not apply to versions 1. 042 and earlier, which are distributed separately.

    Incorrect. The vulnerability affects all versions of WebDyne::Session. The only difference is that in versions before 2.0, the "multiply by 10" code wasn't there, so the upper bound on generated random numbers was process_id * 10_000_000_000.0 + unix_time(). Everything else (md5_hex(), rand(), etc) was exactly the same.

    #perl #CPAN #cve

    #perl #cpan #cve
  14. Oriel Jutty :hhHHHAAAH: @[email protected] ·

    @offseq Wow, the details are pretty wrong here.

    The session ID generation relies on an MD5 hash seeded with the built-in rand() function, which is seeded with predictable 32-bit values derived from process ID, epoch time, and object reference address.

    • Perl's built-in PRNG has a 48-bit internal state and is seeded with 48 bits, not 32 bits. Edit: See below. Perl internally seeds its PRNG with 32 bits from /dev/urandom.
    • The code in WebDyne::Session does not seed the PRNG explicitly.
    • The value passed to rand() is converted to a double-precision floating point value and acts as an upper bound on the generated number. It is not a seed.
    • WebDyne::Session effectively generates this bound as (process_id * 10_000_000_000.0 + unix_time()) * 10. The object address plays no part in this calculation. (It tries to, but the code is buggy and always multiplies by 10 instead.)

    This predictability makes the session IDs insecure and potentially guessable by attackers, risking unauthorized access.

    Yes. The generated session IDs are effectively something like md5_hex("2.84319174058601e+16").

    The vulnerability affects versions through 2. 075 and does not apply to versions 1. 042 and earlier, which are distributed separately.

    Incorrect. The vulnerability affects all versions of WebDyne::Session. The only difference is that in versions before 2.0, the "multiply by 10" code wasn't there, so the upper bound on generated random numbers was process_id * 10_000_000_000.0 + unix_time(). Everything else (md5_hex(), rand(), etc) was exactly the same.

    #perl #CPAN #cve

    #cve #cpan #perl
  15. Oriel Jutty :hhHHHAAAH: @[email protected] ·

    @offseq Wow, the details are pretty wrong here.

    The session ID generation relies on an MD5 hash seeded with the built-in rand() function, which is seeded with predictable 32-bit values derived from process ID, epoch time, and object reference address.

    • Perl's built-in PRNG has a 48-bit internal state and is seeded with 48 bits, not 32 bits. Edit: See below. Perl internally seeds its PRNG with 32 bits from /dev/urandom.
    • The code in WebDyne::Session does not seed the PRNG explicitly.
    • The value passed to rand() is converted to a double-precision floating point value and acts as an upper bound on the generated number. It is not a seed.
    • WebDyne::Session effectively generates this bound as (process_id * 10_000_000_000.0 + unix_time()) * 10. The object address plays no part in this calculation. (It tries to, but the code is buggy and always multiplies by 10 instead.)

    This predictability makes the session IDs insecure and potentially guessable by attackers, risking unauthorized access.

    Yes. The generated session IDs are effectively something like md5_hex("2.84319174058601e+16").

    The vulnerability affects versions through 2. 075 and does not apply to versions 1. 042 and earlier, which are distributed separately.

    Incorrect. The vulnerability affects all versions of WebDyne::Session. The only difference is that in versions before 2.0, the "multiply by 10" code wasn't there, so the upper bound on generated random numbers was process_id * 10_000_000_000.0 + unix_time(). Everything else (md5_hex(), rand(), etc) was exactly the same.

    #perl #CPAN #cve

    #perl #cpan #cve
  16. David Cantrell 🏏 @DrHyde ·

    @manwar Test2 is great, but whenever I see something using yath on one of my testing machines it seems to be incredibly slow. Don't know why, and have better things to do than investigate, but that's put me off using it.

    #cpan
  17. "Mutant Rob" Robert Rothenberg @[email protected] ·

    "575 Pull Requests in Three Weeks: What Happens When #AI Meets #CPAN Maintenance"

    This is an interesting read, including the comments.

    blogs.perl.org/users/todd_rina

    #Perl #LLM #Claude

    #ai #cpan #perl #llm #claude
  18. "Mutant Rob" Robert Rothenberg @[email protected] ·

    I've uploaded a new #Perl Critic policy that checks code for naive random data generation from a hash over not-so-randonm sources like rand(), system time, pid such as

    md5_hex( rand . time . $$ . ++$counter )

    This anti-pattern is used in many places, and has been the reason for several CVEs.

    metacpan.org/release/RRWO/Perl

    #CPAN #security

    As a scholarly aside, I am curious as to who first came up this anti-pattern.

    #perl #cpan #security
  19. David Cantrell 🏏 @DrHyde ·

    Gonna build a testing VM with . Any gotchas that my fedihomies think that a seasoned Unixhead should know about?

    #cpan #dragonflybsd #perl
  20. David Cantrell 🏏 @DrHyde ·

    A few days ago I tried to build some perls with 32 bit ints and 128 bit floats. Cue test failures. Today I tried again, and this time I read my notes from last time on how to do it, and it Just Works.

    Yay past me!

    (the modules bundled with some versions of perl don't like that combination of data sizes; the solution is to ignore their test failures, install anyway, and then upgrade to the latest versions from the )

    #bigint #cpan #perl #32bit #ridiculouscomputing #computationalperversions
  21. dakkar @[email protected] ·

    I have released a new version of App::CpanDak, my sub-class of App::cpanminus / cpanm with "some sort of distroprefs"

    You could already apply patches, skip tests, and set environment variables, to any distribution you installed; now you can augment version specifications.

    Some::Fancy::Library has released a new version 1.3.4 that doesn't install cleanly? add a Some-Fancy-Library.options.yml with:

    ---
add_version_spec: "!= 1.3.4"
    and that version will be skipped, even if pulled in via indirect dependencies!

    https://metacpan.org/release/DAKKAR/App-CpanDak-0.1.0

    #perl #cpan

    #perl #cpan
  22. domm @[email protected] ·

    Hm, did Data::Random got deleted from #CPAN? I have some failing build pipelines and metacpan does not list it anymore, only some dependencies. #Perl Anybody knows who can investigate this?

    #cpan #perl
  23. "Mutant Rob" Robert Rothenberg @[email protected] ·

    MetaCPAN @metacpan now displays security advisories when you are viewing a module with advisories.

    #Perl #CPAN #security #infosec #CVE @cpansec

    #perl #cpan #security #infosec #cve
  24. CPAN Security Group @cpansec ·

    @cpansec published a 2025 year in review!

    We had lots of activities, and good progress in many places, but can do more.

    Check it out, and if you feel inspired, join us!

    security.metacpan.org/2026/01/

    #cpan #perl #security #foss #supplychainsecurity
  25. "Mutant Rob" Robert Rothenberg @[email protected] ·

    I've released a new version of the #Perl module Hash::Util::Merge to #CPAN.

    This module lets you merge hashes by applying a function to each value per key.

    This version allows you to merge an arbitrary number of hashes

    metacpan.org/release/RRWO/Hash

    #perl #cpan
  26. DevTo VN Bot @[email protected] ·

    📡 Đã có module CPAN NOAA::Aurora giúp tích hợp dự báo cực quang vào app thời tiết. Cung cấp bản đồ cực quang bán cầu Bắc, tính xác suất tại tọa độ, và chuỗi dự báo 3 ngày hoặc 27 ngày từ NOAA SWPC. Dễ dùng, hỗ trợ cache. #NOAA #Aurora #SpaceWeather #CPAN #Perl #cựcquang #khíhạcvũtrụ

    dev.to/dkechag/noaaaurora-for-

    #noaa #aurora #spaceweather #cpan #perl #cựcquang
  27. David Cantrell 🏏 @DrHyde ·

    Well, 64-bit seems to be rock-solid when I run it in , it's only a crashy piece of shit in . 32-bit Trixie is fine in UTM, as are and . This isn't a general 64-bit issue, as seems to be stable.

    I suppose that means it's time to ditch Debian for my testing.

    #debian #trixie #virtualbox #utm #freebsd #openbsd
  28. David Wheeler @[email protected] ·

    Is #CPAN still having issues? I made a new release, which shows up here:

    metacpan.org/dist/Text-Markup

    But some of the individual modules don't, e.g.,

    metacpan.org/pod/Text::Markup

    I poked around #perl blogs but didn't see any news

    #cpan #perl
  29. David Cantrell 🏏 @DrHyde ·

    Regret to report that I have perpetrated software. Number::Phone version 4.0009 is on its way to the . There are no significant code changes, it's mostly just data updates.

    #cpan #perl #telecoms
  30. CPAN Security Group @cpansec ·

    RE: chaos.social/@sjn/115657831506

    This is highly relevant for maintainers of and packages. If you are interested in helping make CPAN secure (and therefore compliant), then join us!

    security.metacpan.org/

    #perl #cpan
  31. sahilister @[email protected] ·

    Noticed tagline on CPAN (cpan.org). Great lines!

    #CPAN #Perl

    #cpan #perl
  32. CPAN Security Group @cpansec ·

    RE: fosstodon.org/@the_underbar/11

    We're famous! Hooray! 😄

    (Well, not really. But the episode was good! 😅)

    #cpan #opensource #security #podcast
  33. David Cantrell 🏏 @DrHyde ·

    " This module is , , , , and . The most egregious of bugs might be fixed but I do not promise to do so. There is no support. Using this module is a Bad Idea. Under no circumstances will maintenance be handed over to anyone else. The PAUSE admins should note that anyone wanting to take over maintenance is not qualified to do so. "

    Place your bets now on how many people are too fucking stupid to understand that in my code's doco.

    #unsupported #unloved #unmaintained #obsolete #deprecated #perl
  34. David Cantrell 🏏 @[email protected] ·

    " This module is #unsupported, #unloved, #unmaintained, #obsolete, and #DEPRECATED. The most egregious of bugs might be fixed but I do not promise to do so. There is no support. Using this module is a Bad Idea. Under no circumstances will maintenance be handed over to anyone else. The PAUSE admins should note that anyone wanting to take over maintenance is not qualified to do so. "

    Place your bets now on how many people are too fucking stupid to understand that in my code's doco.

    #perl #cpan

    #unsupported #unloved #unmaintained #obsolete #deprecated #perl
  35. David Cantrell 🏏 @[email protected] ·

    " This module is #unsupported, #unloved, #unmaintained, #obsolete, and #DEPRECATED. The most egregious of bugs might be fixed but I do not promise to do so. There is no support. Using this module is a Bad Idea. Under no circumstances will maintenance be handed over to anyone else. The PAUSE admins should note that anyone wanting to take over maintenance is not qualified to do so. "

    Place your bets now on how many people are too fucking stupid to understand that in my code's doco.

    #perl #cpan

    #unsupported #unloved #unmaintained #obsolete #deprecated #perl
  36. David Cantrell 🏏 @[email protected] ·

    " This module is #unsupported, #unloved, #unmaintained, #obsolete, and #DEPRECATED. The most egregious of bugs might be fixed but I do not promise to do so. There is no support. Using this module is a Bad Idea. Under no circumstances will maintenance be handed over to anyone else. The PAUSE admins should note that anyone wanting to take over maintenance is not qualified to do so. "

    Place your bets now on how many people are too fucking stupid to understand that in my code's doco.

    #perl #cpan

    #cpan #perl #deprecated #obsolete #unmaintained #unloved
  37. David Cantrell 🏏 @[email protected] ·

    " This module is #unsupported, #unloved, #unmaintained, #obsolete, and #DEPRECATED. The most egregious of bugs might be fixed but I do not promise to do so. There is no support. Using this module is a Bad Idea. Under no circumstances will maintenance be handed over to anyone else. The PAUSE admins should note that anyone wanting to take over maintenance is not qualified to do so. "

    Place your bets now on how many people are too fucking stupid to understand that in my code's doco.

    #perl #cpan

    #unsupported #unloved #unmaintained #obsolete #deprecated #perl
  38. Martin Bishop @[email protected] ·

    #Perl conferences, mailing lists, and #CPAN (the Comprehensive Perl Archive Network) created a vibrant ecosystem long before the modern package managers of today. As the web matured and new languages emerged, #Python, #PHP, and later #Ruby, Perl’s dominance gradually waned. Still, many of the ideas Perl popularised, from regular expressions to package repositories, remain foundational today.
    3/4

    #perl #cpan #python #php #ruby
  39. jik @[email protected] ·

    I’ve just published a new Ansible module called perlmod_install_info whose purpose is to help you install Perl modules on systems in the most portable way possible.

    Specifically, this module knows how to search for Perl modules in dnf, yum, and apt repositories as well as in cpanm. It prefers the OS repositories over CPAN because generally speaking you’re better off going with the OS-packaged versions of modules when they’re available, both because that’s more robust and because the OS packages install much faster than CPAN. CPAN is needed as a backstop because the OS distributions don’t include all Perl modules.

    What’s especially clever about this module is that when it does need to resort to CPAN to find a module that isn’t available in the OS repository, it recursively determines all of the dependencies of that module and checks for them in the OS repository. It then returns lists of modules you can install from the OS and modules you need to install from CPAN, so you can minimize the number of modules that end up coming from CPAN.

    If this sounds useful to you, you can check it out on GitHub.

    #Ansible #apt #CPAN #cpanm #dnf #Perl #perlmodInstallInfo #yum

    https://blog.kamens.us/2023/09/13/just-published-perlmod_install_info-ansible-module/

    #ansible #apt #cpan #cpanm #dnf #perl
  40. Daniel Böhmer @[email protected] ·

    I tried to tinker a bit with some Git branch for a future #PullRequest before “doing the real work” …

    Now I’ve dug deeply into `cpanm` code, created two truth tables of 32 cases each and lost the whole day writing a lengthy update on this #GitHub issue. 😂
    github.com/miyagawa/cpanminus/

    The issue is actually about building small #Docker containers with minimal @Perl dependencies while using the #CPAN client #cpanm alias #cpanminus.

    #pullrequest #github #docker #cpan #cpanm #cpanminus
  41. Mark Gardner @[email protected] ·

    @Perl Good news, the #Perl module IO::Socket::SSL now defaults to using the #TLS cryptographic protocol version 1.2 or greater. (Earlier versions have been widely deprecated for a couple of years due to weaknesses found in the #MD5 and #SHA1 hashing functions.)

    Note that if you’ve updated #OpenSSL recently you may also have to rebuild and reinstall Net::SSLeay from #CPAN.

    #infosec #security #cryptography #SSL g0v.social/@gugod/110392435778

    #perl #tls #md5 #sha1 #openssl #cpan
  42. Mark Gardner @[email protected] ·

    @ovid @fuzzix I don’t do #Windows #Perl either, but the main thing is you use #ActiveState’s package manager instead of #StrawberryPerl’s full inclusion of #CPAN support and a C compiler toolchain

    #windows #perl #activestate #cpan #strawberryperl
  43. OSTechNix @[email protected] ·

    How to install Perl modules on Linux #Perl #PerlModules #cpan #cpanm #cpanminus #Linux
    ostechnix.com/how-to-install-p

    #linux #cpanminus #cpanm #cpan #perlmodules #perl