Perl's CPAN Security Group is Now a CNA, Can Assign CVEs (perlmonks.org) 9
Active since 1995, the Comprehensive Perl Archive Network (or CPAN) hosts 221,742 Perl modules written by 14,548 authors. This week they announced that the CPAN Security Group "was authorized by the CVE Program as a CVE Numbering Authority (CNA)" to assign and manage CVE vulnerability identifications for Perl and CPAN Modules.
"This is great news!" posted Linux kernel maintainer Greg Kroah-Hartman on social media, saying the announcement came "Just in time for my talk about this very topic in a few weeks about how all open source projects should be doing this" at the Linux Foundation Member Summit in Napa, California. And Curl creator Daniel Stenberg posted "I'm with Greg Kroah-Hartman on this: all Open Source projects should become CNAs. Or team up with others to do it." (Also posting "Agreed" to the suggestion was Seth Larson, the Python Software Foundation's security developer-in-residence involved in their successful effort to become a CNA in 2023.)
444 CNAs have now partnered with the CVE Program, according to their official web site. The announcement from PerlMonks.org: Years ago, a few people decided during the Perl Toolchain Summit (PTS) that it would be a good idea to join forces, ideas and knowledge and start a group to monitor vulnerabilities in the complete Perl ecosystem from core to the smallest CPAN release. The goal was to follow legislation and CVE reports, and help authors in taking actions on not being vulnerable anymore. That group has grown stable over the past years and is now known as CPANSec.
The group has several focus areas, and one of them is channeling CVE vulnerability issues. In that specific goal, a milestone has been reached: CPANSec has just been authorized as a CVE Numbering Authority (CNA) for Perl and modules on CPAN
"This is great news!" posted Linux kernel maintainer Greg Kroah-Hartman on social media, saying the announcement came "Just in time for my talk about this very topic in a few weeks about how all open source projects should be doing this" at the Linux Foundation Member Summit in Napa, California. And Curl creator Daniel Stenberg posted "I'm with Greg Kroah-Hartman on this: all Open Source projects should become CNAs. Or team up with others to do it." (Also posting "Agreed" to the suggestion was Seth Larson, the Python Software Foundation's security developer-in-residence involved in their successful effort to become a CNA in 2023.)
444 CNAs have now partnered with the CVE Program, according to their official web site. The announcement from PerlMonks.org: Years ago, a few people decided during the Perl Toolchain Summit (PTS) that it would be a good idea to join forces, ideas and knowledge and start a group to monitor vulnerabilities in the complete Perl ecosystem from core to the smallest CPAN release. The goal was to follow legislation and CVE reports, and help authors in taking actions on not being vulnerable anymore. That group has grown stable over the past years and is now known as CPANSec.
The group has several focus areas, and one of them is channeling CVE vulnerability issues. In that specific goal, a milestone has been reached: CPANSec has just been authorized as a CVE Numbering Authority (CNA) for Perl and modules on CPAN
Maybe people would have cared 20 years ago (Score:3)
But Perl is more or less legacy now, few organisations would start a new project in it. Python has eaten its lunch (and breakfast and dinner) about as comprehensively as is possible.
Re:Maybe people would have cared 20 years ago (Score:5, Informative)
That was my first thought as well - and I say that as a perl user.
But I will also point out that, if you pay attention, perl still pops up in some surprising places. If you do IT professionally and live in the Unix world, you'll find it's underneath some of the tools you rely on every day.
And to round it out, here's a relevant XKCD: https://www.explainxkcd.com/wi... [explainxkcd.com]
Re: (Score:2)
I still have a soft spot for Perl. I ran a company for 19 years whose products and services were mostly implemented in Perl (email security) and it worked really well for us. It's still my go-to language for quick sysadmin tasks.
But I realize sadly it's not the future.
Re: (Score:2)
I use several languages, depending on the task.
Perl still excels where native speed and especially memory or energy usage is a factor.
I literally have one project on hold waiting for another 128GB of RAM to come in for a python script that the vendor software needs that won't run in 96GB.
zram swap was incredibly effective there but still not enough.
The crazy thing is that modern Java whomps perl on these attributes if jvm startup time isn't a factor.
For quick&dirty scripts it is, though.
Re: (Score:1)
If your Python program dies not run in 96gig, what makes you assume it runs in 128gig?
I would assume it has a memory leak. And if you do not find and fix it, the program only runs a bit longer before it is OOM.
Before I retired (Score:1)
I was a Certified Nursing Assistant (CNA)
And during WWII a CVE was an "Escort Carrier" in the US Navy
Re: (Score:2)
Yo, Dawg, I could put an escort in my Escort and load it onto an Escort Carrier!
Re: (Score:2)
Cool story bro, next time elaborate. For example, I got a CNA "Certified Novell Administrator" and then a CNE (Certified Novell Engineer) about 30 years ago .. Actually I never did figure out whether the N stood for Netware, or Network or what. Funny thing is about a year after I got the CNE cert somebody sat me down in front of a Netware box and I couldn't even recall the command to even bring up the console .. which was embarrassing because the command was literally CONSOLE or something like that. I can s