PTS 2023 Projects
Add projects below that you're thinking of working on. If you see someone else's project that you'd like to help on, add your name, but email them as well please.
Group discussions ("consensus documents")
- should we bump the guaranteed minimum supported version from 5.8.1 - perhaps to 5.16 or 5.20?
- let's start phasing out PERL_USE_UNSAFE_INC
- how do we make distroprefs better?
- thinking ahead to perl7: can we make the expectations for perl7 distributions much more rigid and stop allowing legacy behaviours?
- finish hammering out an initial API design for a `meta::` API -- Paul Evans (LeoNerd)
Upcoming EU laws that will affect PTS, CPAN and Perl (Salve J. Nilsen (sjn))
- Some upcoming EU regulations and laws will be requiring businesses to get their cybersecurity act together. This is very likely to have major consequences across all Open Source communities, when tens of thousands of businesses start asking about SBOM data, supply-chain security and other community resources.
- Salve J. Nilsen (sjn) can offer a presentation about the upcoming laws, if this is desirable
- Possible ramifications
- Supply-chain security must be working & secure, including a complete and unbroken chain of trust, and a valid trust root. This is likely to affect both PAUSE and tooling for uploading and downloading in a major ways.
- Make sure tooling for extracting & building SBOM information works with CPAN distros (and possibly add new required metadata to META.json?)
- Identify and make available relevant documentation for managing distro handovers (and related lifecycle docs) in central and easy-to-find locations (e.g. on metacpan.org and perl.org)
- More! This probably requires some discussion
- Finish big rewrite and release it.
- We need to find a new home for this project.
- Get everything working with 5.38
- Make a plan to move away from BigV/Bytemark, which is being shut down
I'm currently running on a (virtual) server with 16 CPUs (2.2 MHz), 64G RAM and 120G disk. The CPUs and RAM are nice but I could manage with a little less. The disk is too small really and would ideally be 500G or more.
- Implement as much of that plan as possible
- Containerise everything to simplify the move
- Make changes necessary for PERL_RC_STACK
- Finish up the core changes to allow coverage of top-level module statements
- Finish up queue system
- Manage PRs and bug reports
- Make it possible to start from a stock Linux (Debian?) box and spin up a running PAUSE
- this, in furtherance of rebuilding the real PAUSE onto a new machine
- Try packaging libfyaml as a perl XS binding. It is a modern alternative to libyaml, supporting YAML 1.2 passing every test case
- Add experimental perl booleans to YAML::XS
- A system for CPAN authors to be able to ssh into smokers where their tests failed and debug them.
- An alternative packaging system for Raku based on the BPAN system I've created for Bash.
- Improvements for Devel::hdb - an amazing web based Perl debugger that needs some love.
- Helping Tina on YAML things.
- Promoting TPRC/NA 2023 Toronto which I'm helping to organize this year.
- Whitespace issues CORE::Configure inconsistent with generated file (request from Yves)
- Release::Checklist check against consensus (PR's welcome!)
- Get Meta back in sync again
- Taint support / taint disabled
- Whatever is requested
- It'd be really great if we could get Test2 shipped with core perl. It might need some dependency trimming first though.
- Look at and fix PR's and Tickets on Test2 distributions
- Help Paul Evans (LeoNerd) get Test2::Suite into perl core.
(This is similar to DrHyde's CPXXAN (?) project, which I haven't been able to find a link to)
- Build CPAN Indexes per Perl version that list the latest version of each distribution that had _at least_ one PASS on that version of Perl.
- Make the CPAN clients optionally use the matching Index for the current Perl version
- Make those indexes available from metacpan, and maybe also provide some way to tailor the view of CPAN to a specific Perl version
Benefits:
- weed out the old, unmaintained modules from the view
- let distributions adopt newer Perl features, knowing that the index for an older Perl will not list a version of the distribution that does not mean to support it
Software Bill of Materials (SBOM)
- Map out which SBOM file formats to support. (e.g. SPDX, CycloneDX, etc.)
- Identify fields that are required in SBOM formats, and propose an update to CPAN::Meta to formally support these
- Get in some basic work on tooling for generating SBOMs. E.g. via Salve J. Nilsen (sjn)'s recently set up OWASP's CycloneDX project for Perl/CPAN/Raku
- Ideas for CPAN author signatures (alternative to Module::Signature)
- Trust root in MetaCPAN that points to authors GitHub, GitLab or custom URL.
- How to handle key expiry
- Consider sigstore/rekor
- HTTP::Tiny
- Discuss changing verify_SSL=>0 default and vulnerabilities this is causing
- Look at CA bundle lookup logic, so it matches other TLS clients
- PAUSE
- Suggest ssh or signify signing keys and/or updating PGP keys with stronger primitives
- Ideas for new signed CHECKSUMS-file format
- WebAuthn/TOTP
- Artifact transparency log
- Help out CPAN/PAUSE server infra