What is the Perl Toolchain Summit?

Up to 2016, this event was known as Perl QA Hackathon - PQAH.

The PTS is a free of charge coding workshop for people involved in Quality Assurance, testing, packaging, CPAN, and other projects related to quality assurance. The workshop is not necessarily exclusive to Perl projects, however, many of the attendees will be planning to work on projects that have a direct benefit to the Perl language.

This Perl Toolchain Summit is the next in a series of annual events, following on from successful summits in:

• Oslo 2008
• Birmingham 2009
• Vienna 2010
• Amsterdam 2011
• Paris 2012
• North West England 2013
• Lyon 2014
• Berlin 2015
• Rugby 2016
• Lyon 2017
• Oslo 2018
• Marlow 2019
• Lyon 2023
• Lisbon 2024
• Leipzig 2025

These events were a great success for the Perl and Open Source communities, as well as the attendees.

When, and where, is it happening?

The PTS is a four day event that took place from Thursday April 23^rd to Sunday April 26^th 2026, all the day long, in the town of Vienna, Austria.

The results

H.Merijn Brand (‎Tux‎)

• Analysis of the Test::Smoke database
• Attempt to convert that to Test2::Builder architecture (proved to be of no use)
• Extract binary data out of that 150 Gb+ database into local files
• replace bytea entries with locations of those files (new size is just over 300 Mb + 77 Gb of files on disk
• Discuss and help with new maint setup for webUI and API for Test::Smoke results. Thanks Todd Rinaldo (‎toddr‎) for picking this up!!!!
• Talk about Configure and its bus factor. Incl a podcast recording with Philippe Bruhat (‎BooK‎))
• Evaluate new Devel::Cover and help digging into failures
• Digging into Test2::Harness fallout due to installation of an old(er) version-conflict
• Fix stack corruption issue in Text::CSV_XS (Thanks Leon Timmermans (‎leont‎)!)
• Many many useful discussions

Shoichi Kaji (‎skaji‎)

• Released cpm v1: https://metacpan.org/pod/App::cpm

Tina Müller (‎tinita‎)

• YAML::XS
  • Fix memory leak for trailing UTF8 octets
  • Fix detecting floats in YAML 1.2 Core Schema
  • v0.906.1-TRIAL: Turn off cyclic references by default (potential memory leak)
• YAML::PP
  • Security: Limit default allowed maximum nesting level.
• libyaml
  • Fix Denial of Service vulnerability: Limit depth of nesting by default
  • Handle closing flow sequence after explicit key
• Sat together with Thibault Duponchelle (‎tibtib‎) and talked about attack vectors in PAUSE regarding YAML

atoomic

• Quick Summary for PSC26: Open 42 issues ; Worked on 141 PRs ; 86 Merged
• Mainly focused on Test-More/Test2-Harness refactor with 27 PRs merged
• but also updated, modernized and released v2 for perl-actions/install-with-cpm, perl-actions/install-with-cpanminus
  • update node to v24
  • several security updates
  • upstream stack up to date
  • added a few extra features: retry, cache, mirror...
• TimeDate -Worked on 14 issues
• Clone: merged 4 PRs ; release pending
• helped modernized Perl-Toolchain-Gang/Test-Smoke
• exchanged on feature requests for metacpan/metacpan-grep-front-end
• workshop: collaborate with Robert on automation Policy
• talk: AI discussion, attended Perl Core features talk from Leonerd

Thomas Klausner (‎domm‎)

• Added a local-dev setup using docker-compose to PAUSE: https://github.com/andk/pause/pull/588, already merged!
• Might have been shanghaied to look into making PAUSE an OAuth2 identity provider
• Attended a interview podcast recording about Vienna.pm with Philippe Bruhat (‎BooK‎)
• Running errands, un/locking doors, organize food etc

Paul Evans (‎LeoNerd‎)

• Presented two talks outlining upcoming or potential future core perl ideas and designs
• Lots of discussions about class/role feature design
• Fixed a small bug in the `Socket` dual-life module
• Pointed atoomic+Todd Rinaldo (‎toddr‎) at the "static cow" ability of newer perls as a nicer way to solve a `B::C` issue
• Looked into `Devel::Cover` interactions with perl's `PL_perldb` variable with Paul Johnson (‎pjcj‎)
• Lent some words on the theme of the ever-looming "AI tools" discussions
• Held an in-person PSC meeting to triage the release-blocker queue and manage some outstanding issues
• Attended a interview podcast recording with the PSC with Philippe Bruhat (‎BooK‎)

Robert Rothenberg (‎rrwo‎)

• Worked with CPANSec on various projects
  • Vulnerability discovery
    • Released a fix for Text::Minify::XS (thanks to Karl Williamson for helpful advice on handling Unicode in XS)

• CNA improving the vulnerability to fix and disclosure workflow
  • We want to reduce delays to releasing fixes and disclosing vulnerabilities, but we also want to communicate with authors in a way that does not put pressure on them.
    • CPANSec is a resource to assist authors with security issues.

• Working on a ideas with Salve J. Nilsen (‎sjn‎) about where new kinds of metadata should go, so that authors can experiment with it over the next year.
  • Blog post(s) will be forthcoming
  • A proposal for documenting how AI and automation fits into a project (with atoomic)
  • Ideas in GitHub at https://github.com/CPAN-Security/cpan-metadata-v3
• Joined the DBI core maintenance team
• Participated in various discussions
  • AI usage meeting was lively but productive.
  • Paul Evans (‎LeoNerd‎) talks about upcoming and potential improvements.
  • Karl Williamson on UTF-8
  • Salve J. Nilsen (‎sjn‎)'s talks on CRA and steward organization
  • META v3 and Community Health Documentation

Christian Walde (‎Mithaldu‎)

• PPI - several releases with:
  • two separate performance fixes for features/signature parsing in large files (thanks mauke)
  • support for dotted bitwise operators (thanks BooK)
  • fixes for code location indexing (thanks myrrhlin)
  • many other small things
• had toddr help me automatically generate a lot of PPI tests (and some fixes) for currently broken behaviours
• several conversations with Leonerd on the relationship between classes and roles and better replacements for roles, as well as what makes acceptable behaviours in po syntax; and advice on how to get feedback with little effort

Andreas Koenig

• released CPAN.pm-2.39-TRIAL
• Security fixes on PAUSE
  • Ignore README or META.xxx in uploaded distributions when they are symlinks (Stig Palmquist)
  • Fix Possible timing attack in ABRA lookup (Thibault Duponchelle)
  • replace rand() with Crypt::URandom::urandom() (Thibault Duponchelle)
  • discussed some more potential security issues with Stig Palmquist and Graham Knop
• applied circa 15 pull requests to PAUSE together with Kenichi Ishigaki
• participated in discussions about deprecation of Module::Signature and shutdown of the email forwarding service for the CPAN

Timothy Legge (‎timlegge‎)

• Various CPANSec discussions
  • CNA - How to reduce the required to issues CVEs
  • CNA - Improve the disclosure workflow process
  • CNA - Recognize the impact of security reports on maintainers
• Worked with Todd Rinaldo (‎toddr‎) to release Crypt::OpenSSL:::RSA which restored PKCS1 v1.5 padding for signatures
• Participated in various discussions on:
  • CPAN Clients
  • Perl Platform support
  • AI and the Perl Community
  • Karl Williamson on UTF-8
• H.Merijn Brand (‎Tux‎) presented metaconfig and Configure to a small number of us
  • While not frequently changing H.Merijn Brand (‎Tux‎) gave us a great understanding of its importance and how it works
  • The hope is to improve the bus factor
• Deprecated Module::Signature
  • Audrey approved its deprecation
  • Module::Signature does not provide the expected security assurances
  • It is time to retire it and look for a new solution

Lukas Mai (‎mauke‎)

• helped Christian Walde (‎Mithaldu‎) disentangle and release a PPI patch (performance improvements)
• opened a handful of pull requests in CPAN modules to eliminate string comparisons on $] (e.g. `if ($] lt "5.010")`), which will break if $] exceeds 10.0 (e.g. if we were to "drop the 5.")
• attended talks by Paul Evans (‎LeoNerd‎) (future features, language design), Karl Williamson (UTF-8)
• many, many discussions

Doug Bell (‎preaction‎)

• Begun parsing report text to fill in data
  • Starting from Andreas's CPAN::Testers::ParseReport
  • Now have a framework to parallelize jobs over the entire report set
• Started to sync from backpan.perl.org to fill in CPAN Testers's backpan
  • Recovery from last winter's outage
• Initial MCP server for AI agents at https://mcp.cpantesters.org
• Started importing parsed reports into a new Postgres schema
  • Goal is to be able to travel upstream and downstream to aggregate report data

Philippe Bruhat (‎BooK‎)

• released Perl-Version-Bumper 0.256, thanks to the newly added support for dotted bitwise operators in PPI
• discussed implementing a new utility method for PPI (akin to PPIx::Literal), and started implementing it
• attended several meetings: April Task Force, CPAN clients, AI discussion, Perl platforms, Paul Evans (‎LeoNerd‎)'s talks
• rebased the "drop the 5" branch for Perl (PPC 0025)
• several PTS organiser discussions and tasks, including for 2027
• recorded over 5 hours of interviews for The Underbar podcast: Configure (H.Merijn Brand (‎Tux‎)), Vienna.pm, PPI (Christian Walde (‎Mithaldu‎)), the PSC, Karl Williamson.

Kenichi Ishigaki (‎charsbar‎)

• published accumulated local changes on CPANTS
  • bumped javascript libraries (notably, bootstrap from 3 to 5)
  • restored old API endpoints
• implemented a new API application for PAUSE
• made several pull requests to PAUSE
• shipped Parse::LocalDistribution to reflect changes for PAUSE
• asked the maintainer of Encode to cut a release
• joined a few discussions

Thomas Baugh (‎Andy‎)

• Helped out exodist with the Test2::Harness refactors on the 2.0 branch.
  • Very near to completion
  • I still need to finish polishing/testing preloads feature ;_;
• Learned how to use koanbot from atoomic
• For fun vibecoded a test runner script based on MCE and Log::Dispatch.
  • https://github.com/Troglodyne-Internet-Widgets/perl-app-prover
  • Slightly faster than App::Prove when using concurrency (surprising for basically an experiment)
  • I plan to use it to try to make benchmarks with once Test2::Harness rework is done.

Shawn Sorichetti (‎hide‎)

• Migrated all MetaCPAN secrets from SealedSecrets to External Secrets Operator backed by 1Password, eliminating per-cluster encrypted-blob duplication and removing secrets (even encrypted ones) from the git repo entirely
• Migrated every SealedSecret across the platform: cert-manager (Cloudflare DNS), ArgoCD (GitHub OAuth), loki, kube-prometheus, kube-thanos, and application secrets for web, api, test-smoke, and backpan-syncer
• Refactored ExternalSecrets from environments/prod/ into each app's base/ with namespace injection via Kustomize overlays, verified byte-identical kustomize build output before and after
• Switched ArgoCD repo access to GitHub App authentication after the OAuth secret transition
• Stood up a full parallel production stack (prod-hz) on Hetzner/CloudFleet running all seven MetaCPAN apps as a blue/green shadow of the DigitalOcean cluster - launched without SealedSecrets ever being deployed to it
• Built per-app environments/prod-hz/ Kustomize overlays plus separate ArgoCD AppProject and Application definitions targeting the hz cluster
• Installed the platform layer via a vendored Helm pattern (Makefile + values.yaml + checked-in vendor/) for ArgoCD, Hetzner CSI driver, CloudNative PG operator, and the CloudFleet node autoprovisioner - making installs reproducible without runtime internet pulls
• Wrote a Python script to query Datadog for P95 CPU and memory across all workloads and generate tuned resource requests, so the hz cluster launched with data-driven sizing instead of guesses; documented the methodology in scripts/README.md
• Pinned all hz workloads to Germany via nodeAffinity on topology.kubernetes.io/region (fsn1, nbg1), aligned with the CloudFleet NodePool restriction
• Added topologySpreadConstraints to web for even pod distribution across German availability zones; pinned backpan-syncer, grep, and test-smoke specifically to Frankfurt for storage locality
• Added PodDisruptionBudgets (maxUnavailable: 1) to web and web-search in the base, guaranteeing at least two pods serve traffic during voluntary disruptions in any cluster
• Set ServerSideDiff as the cluster-wide ArgoCD default, eliminating spurious diffs caused by ESO operator-injected fields
• Added ignoreDifferences rules covering PVC post-binding fields, eight ESO webhook-injected fields on ExternalSecret, Karpenter NodePool CRD defaults, and DatadogAgent operator-version fields - fixing perpetual OutOfSync states across both clusters
• Replaced the hardcoded overlay list in the validate-manifests CI workflow with find-based autodiscovery, picking up six previously unvalidated overlays and removing three stale ones
• Removed the legacy self-hosted monitoring stack (loki, kube-prometheus, kube-thanos, vector-agent) from the repository, completing the migration to Datadog and unblocking CI
• Updated the set-image automation workflow to update both prod and prod-hz in the same commit, preventing immediate post-launch drift between clusters

Olaf Alders (‎oalders‎)

• The bulk of my time was spent working with Salve on a significant funding proposal for CPAN security work
• Merged some pull requests for perlimports and released a new version to CPAN
• Merged some code I had written to add a new MetaCPAN API endpoint: /download_url/distribution/{distribution}
• Looked into adding GFM (GitHub Flavored Markdown) support to MetaCPAN. I have a proof of concept in place and discussed it with Graham Knop (‎haarg‎)
• Recorded 2.5 podcast episodes of The Underbar with BooK

Karl Williamson

• Got past a sticking point to releasing the next version of Devel::PPPort
• Gave a talk on the new API in 5.44 for XS code to use in handling UTF-8.
• Attended talk by Paul Evans (‎LeoNerd‎) on classes and roles
• H.Merijn Brand (‎Tux‎) clarified for me an underdocumented Configure behavior, which will lead to fixing a bug.
• With Leon Timmermans (‎leont‎)'s help, came up with a proposal for replacing PERL_NO_SHORT_NAMES (which has been broken for many releases) with new functionality that achieves the same aim, but signficantly easier to use.
• Tried to raise awareness of Unicode security issues
• Many many useful discussions
• Met many people whom I had long hoped to meet
• Was interviewd by Philippe Bruhat (‎BooK‎) and Olaf Alders (‎oalders‎)