Re: Open source archives hosting malicious software packages
On Wed, Sep 20, 2017 at 11:13:50PM +0100, David Precious wrote: > One thing I thing is good to consider is the fact that all CPAN releases > get announced on a quite populated IRC channel, increasing the chance of > someone spotting a release announcement and thinking "hmm, that looks > dodgy" - but that's of course not entirely reliable, and doesn't focus > only on new releases. But is anyone paying attention? I assume you're talking about #cpantesters, which I'm on, but I hardly ever look at it, and when I do look I certainly don't look at scrollback, let alone looking at scrollback *carefully*. -- David Cantrell | Godless Liberal Elitist Planckton: n, the smallest possible living thing
Re: Open source archives hosting malicious software packages
On Fri, Sep 15, 2017 at 07:11:49PM -0400, James E Keenan wrote: > http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/ > > Would CPAN be subject to the same problem as described in the article above? Yes. DBI::Class, for example, could be a typo for DBIx::Class or a misremembered Class::DBI, and there's nothing stopping anyone from uploading a DBI::Class package that does all kinds of dodgy stuff. -- David Cantrell | semi-evolved ape-thing Longum iter est per praecepta, breve et efficax per exempla.
Re: Making www.cpan.org TLS-only
On Fri, Sep 01, 2017 at 12:48:02PM -0400, Olaf Alders wrote: > As an (interesting?) aside, the Net::HTTP test suite just broke because of > the 301 from http://www.cpan.org to https://www.cpan.org > https://github.com/libwww-perl/Net-HTTP/issues/53 Obviously that test made > some assumptions which no longer hold up. :) A fix has been released. I > just point it out as an unexpected side effect of making these sorts of > changes. It broke CPANdeps too, which needs to fetch 02packages.details.txt.gz, as you're using some SSL options that its openssl doesn't understand. The long-term fix is for me to upgrade the version of Debian that CPANdeps uses, but in the mean time can that be another file excluded from the re-directs please. -- David Cantrell | Pope | First Church of the Symmetrical Internet I apologize if I offended you personally, I intended to do it professionally. -- Steve Champeon, on the nanog list
"How to contribute" documentation
I was looking at this thesis: http://incolumitas.com/data/thesis.pdf and see that the author didn't try to attack the CPAN because "[it] had such a bad documentation quality". I assume* that he means it wasn't clear how to go about uploading a module. And I think he's got a point. It's not obvious to someone who's not already "in the know". I therefore suggest that we move (or maybe copy) the "how to contribute" section from http://www.cpan.org/modules/index.html to http://www.cpan.org/. PR here that copies the relevant section: https://github.com/perlorg/cpanorg/pull/32 * I have contacted him for clarification, because we all know what happens when we assume -- David Cantrell | Godless Liberal Elitist I know that you believe you understand what you think you wrote, but I'm not sure you realize that what you wrote is not what you meant.
New maintainer needed for cpXXXan
Those of you who were at the most recent London.pm tech meet will recall that I asked if anyone wanted to take over maintenance of cpXXXan. I do not have the time needed to give it the attention it requires, both to fix current problems or to do any necessary maintenance in the future. If anyone would like to take it over please speak up. If no-one does, then it will just rot and will eventually disappear. If you do want to take over then I will gladly help you get your head around how it works, and continue hosting it, at least until the hardware fails, or becomes inadequate, or until my current employer decides to stop giving me hosting for free. -- David Cantrell | Minister for Arbitrary Justice The voices told me to [THIS SIG CENSORED BY GCHQ FOR REASONS OF NATIONAL SECURITY AND DECENCY AND OH MY GOD IS THAT A LOBSTER]
RECENT-* seem to have got stuck
See http://www.cpan.org/authors/ Looks like the only one that's getting updated is RECENT-1h.yaml. -- David Cantrell | A machine for turning tea into grumpiness comparative and superlative explained: worse, worser, worsest, worsted, wasted
Re: Renaming the "QA Hackathon"?
I think the word you're looking for is symposium. Although I think hackathon is just fine. -- David Cantrell This electrogram was despatched by wireless field telegraph. I would therefore ask that the recipient be so kind as to excuse any failures of courtesy or linguistic inelegance as an unfortunate side-effect of the technology. > On 9 Apr 2016, at 15:11, James E Keenan <jk...@verizon.net> wrote: > >> On 04/09/2016 09:06 AM, Neil Bowers wrote: >> I’ve added a topic to the wiki page for “topics for discussion” at the QAH: >> > [snip] >> There’s a well-established definition for “hackathon” these days, and the >> QAH is not one of those. As a result when talking to potential sponsors, we >> have to be careful to define what the event is, how it works, and the >> attitude towards the output(s). I’ve had plenty of discussions explaining >> “no, not that kind of hackathon”. >> >> Ie people who aren’t already familiar with the QAH hear “4-day … hackathon” >> and think something along the lines of: >> >> So you’re going to get together and lash things up in a frenzy, in teams >> competing against each other. >> > > I concede that the predominant use of the term "hackathon" these days is a > highly competitive event where teams compete against one another under time > pressure. That's true both within private companies and in cases where, say, > a government body open-sources its data and seeks new "apps". > > Once again, Perl is different -- and that's not a difference that we should > relinquish. I count my participation in the Chicago hackathon Andy and Pete > organized in November 2006 as my entry point into real collaboration with > other members of the Perl community. All the hackathons that I have > participated in since then -- including at least four which I have > organized[1] -- have emphasized collaboration and contributions to the Perl > ecosphere rather than competition. None have awarded prizes. > > The Perl QA Hackathon is, admittedly, somewhat unique among Perl hackathons > in that it is an admittedly elite event where funds are raised to bring > together Perl experts from around the world to work in a more focused way and > to develop consensus around proposals for the evolution of the Perl > infrastructure. For that, you need, some serious funds, probably in at least > five figures. > > Of the hackathons I myself have organized, only one needed donations in any > form other than the venue, and in that case the donor had a budget for > open-source contributions which had to be spent. We would have been more > than happy with just the venue, but the extra contributions did enable us to > provide transportation costs for five people from outside our area to serve > as hackathon mentors. > > I think the larger question of "How do we raise money for Perl events even > when they don't conform to larger corporate or societal expectations?" is a > good one, and I thank Neil for kicking off the discussion. But I share > Kent's skepticism about alternative names as an easy answer to that question. > > Thank you very much. > Jim Keenan > > [1] My earlier thoughts on hackathons: > > "How to Get the Most Out of a Hackathon": > http://thenceforward.net/perl/yapc/YAPC-NA-2007/houslight/index.html > > "Let's Have a Distributed Perl Hackathon": > http://blogs.perl.org/users/kid51/2012/10/lets-have-a-distributed-perl-hackathon.html > > "New York Perl Hackathon A Success": > http://blogs.perl.org/users/kid51/2013/03/new-york-perl-hackathon-a-success.html >
Re: CPAN River - water quality metric
On Wed, Dec 23, 2015 at 03:46:48PM +0900, Kenichi Ishigaki wrote: > CPANdeps (http://deps.cpantesters.org) has been providing useful > information on water quality. The main limitation to using it to judge water quality is that it only considers the most recent version of every dependency. That is, it samples the water quality once, ignoring the factory upstream that shits its pants a coupla times a year. -- David Cantrell | London Perl Mongers Deputy Chief Heretic If you can't imagine how I do something, it's because I have a better imagination than you
Re: Backpan mirror?
On Tue, Sep 15, 2015 at 12:24:47PM -0400, David Golden wrote: > Ah, right. It's private. > > I suggest you email the Perl NOC and ask for private rsync access. I think > supporting CPXXXAN makes a good case for it. Will do - thanks. -- David Cantrell | Reality Engineer, Ministry of Information Immigration: making Britain great since AD43
Backpan mirror?
I've been using backpan.cpantesters.org as my source of dists for cpXXXan, but cpantesters is having some problems at the moment and today ... rsync: failed to connect to backpan.cpantesters.org: Connection refused (111) Can someone recommend another place I can do my daily rsync from? -- David Cantrell | top google result for "internet beard fetish club" Irregular English: you have anecdotes; they have data; I have proof
Re: Backpan mirror?
On Tue, Sep 15, 2015 at 12:04:50PM -0400, David Golden wrote: > On Tue, Sep 15, 2015 at 12:03 PM, David Cantrell <da...@cantrell.org.uk> > wrote: > > rsync: failed to connect to backpan.cpantesters.org: Connection refused > > (111) > > > > Can someone recommend another place I can do my daily rsync from? > backpan.perl.org Can't even connect to that one: rsync: failed to connect to backpan.perl.org: Connection timed out (110) -- David Cantrell | semi-evolved ape-thing
Re: Leo is skinning www.cpan.org
On Mon, Sep 27, 2010 at 03:41:24PM +0100, Chris 'BinGOs' Williams wrote: On Sun, Sep 26, 2010 at 01:55:36PM -0700, brian d foy wrote: I don't know what is generating the http://www.cpan.org/RECENT page right now, but PAUSE now has a lot of files to show recent activity for various time slices. Anyone interested in doing something with that, maybe even twitter-feed like? Someone had a subscribe to this distro feature. I seem to recall that it might have been part of Perlbuzz. RECENT is a symlink to indices/RECENT-print I'll just point out that my CPAN Testing infrastructure relies on the RECENT file as is to find stuff to smoke test. Mine used to, then it changed, so I switched to using RECENT.recent, then it changed, now I use RECENT-1W.yaml. Hopefully that's nice n stable! While we're on the subject of RECENT*, what is RECENT-Z.yaml? And will it ever be updated? At a glance, it appears to be a log of all uploads and deletes from the beginning of time up to some point in recent history, at which point it stops. It would be Really Useful to have it be updated a few times a year. -- David Cantrell | semi-evolved ape-thing Irregular English: ladies glow; gentlemen perspire; brutes, oafs and athletes sweat
Re: Trimming the CPAN - Automatic Purging
On Sun, Mar 28, 2010 at 11:48:00AM -0500, Randy Kobes wrote: Has some sort of disk quota system for CPAN author accounts ever been considered? There are authors with 100 distributions. There are authors with just one distribution. There are authors with big distributions, and authors with only tiny distributions. I'd not be in favour of anything like that, which would impose burdens on authors (prolific authors - the most prolific being pumpkings: perl lives in their PAUSE directories - would have to contact admins to get their quota increased) and on the volunteer admins (who would have to decide whether to increase someone's quota or not). OK, so I have a vested interest: my CPAN directory is, in terms of size, number 37 out of 4900-something, because I have two *really* big distributions. For both of those I delete older versions when I think it appropriate. However, the load on rsync servers doesn't really come from the size of files - no matter whether you use rsync or some other protocol, they still have to serve those big files out at some point, once to each person who mirrors from them. The real load is the *number* of files, and hence the number of stats they have to do when someone asks rsync for changes. If you really want to reduce the load, how about getting rid of the CHECKSUM files and all the extracted blah.readme files in authors' directories? I'm kinda tempted to say the same about the .meta files as well, although I imagine they're more useful to some downstream reusers of the archive. -- David Cantrell | Nth greatest programmer in the world When one has bathed in Christ there is no need to bathe a second time -- St. Jerome, on why washing is a vile pagan practice in a letter to Heliodorus, 373 or 374 AD
Re: Trimming the CPAN - Automatic Purging
On Mon, Mar 29, 2010 at 12:02:11AM -0800, Arthur Corliss wrote: I think it would be a worthy cause ultimately, but certainly a much longer time to implementation, and considerably more effort. Kind of sounds like the normal stonewalling I've been getting these last few days by our resident rsync fetishists. Very ironic. I use the hell out of rsync, just more discriminately that you guys, and yet I'm public enemy number one. You know how I use it? Damn, I don't remember giving you accounts on my machines so you could look at my cron jobs. Live Free or Die Try living polite. -- David Cantrell | semi-evolved ape-thing You can't spell AWESOME without ME!
Re: Trimming the CPAN - Automatic Purging
On Sat, Mar 27, 2010 at 09:38:16PM -0400, Elaine Ashton wrote: I suppose I don't understand the opposition to trimming off the obvious cruft on CPAN to lighten the load when BackPAN exists to archive them. There is already CPAN::Mini (which was created back when CPAN was an ever-so-tiny 1.2GB) so it's not as though lightening the load is a new idea or an unwelcome one. My understanding is that CPAN::Mini is aimed more at end-users who want to have CPAN-onna-(memory)-stick or on a laptop. Back in 2004, dedicating 1.2GB of laptop space was rather more significant than it is now - my laptop at the time had something like 30GB, and that had to include the OS and all my mp3s. A CPAN-onna-stick was very useful at hackathons and on train journeys. -- David Cantrell | Official London Perl Mongers Bad Influence I think the most difficult moment that anyone could face is seeing their domestic servants, whether maid or drivers, run away -- Abdul Rahman Al-Sheikh, writing at http://www.arabnews.com/?article=38558
Re: Trimming the CPAN - Automatic Purging
On Fri, Mar 26, 2010 at 03:02:22PM -0800, Arthur Corliss wrote: Why use rsync, then? Why not have checkpointed logs on cpan with additions/removals logged by date so you can roll forward on the client, processing only those files? It would be trivial to set up and a lot more efficient. Because the most important mirror sites mirror CPAN as just a very small part of what they do. They won't want to have to use weird tools for just that tiny corner of their disk. -- David Cantrell | London Perl Mongers Deputy Chief Heretic I caught myself pulling grey hairs out of my beard. I'm definitely not going grey, but I am going vain.
Re: Trimming the CPAN - Automatic Purging
On Thu, Mar 25, 2010 at 01:42:58PM +, Barbie wrote: There are many distributions on CPAN that older versions work on a particular perl/os, but more recent ones don't. Latest isn't necessarily the greatest. If you are going to perform this then it should really feed off the CPAN Testers to know if a specific release has been marked as being the latest working release for a particular perl/os. You just described cpXXXan: http://cpxxxan.barnyard.co.uk/ -- David Cantrell | Bourgeois reactionary pig You know you're getting old when you fancy the teenager's parent and ignore the teenager -- Paul M in uknot
