PAUSE ID request (RAFORG; Raf Esq.)
Request to register new user fullname: Raf Esq. userid: RAFORG mail: CENSORED homepage: why: Hi, Firstly, I want to publish some code as a MIME::Tiny module (name not used yet). Years ago, I needed a program to act as a procmail filter, and the existing MIME modules took far too long to load up (~1s!) so I had to write my own (really tiny) MIME parser/generator. I know there're probably lots of MIME modules now but I think mine is awesome and I'd like to let others find it in case it's useful to them. If you need to see the code, look at http://raf.org/minimail/. Also, my joy of perl/raku has recently been reinvigorated (I'm binge watching lots of perl/raku conferences!) and I'm hoping to have some spare time next year to maybe take over the maintainorship of some CPAN modules that are in need of attention. Nothing particular in mind. I just want contribute. I've started contributing to cpan modules via github pull requests (which don't need a pause account), but I think a pause account would make sense. cheers, raf The following links are only valid for PAUSE maintainers: Registration form with editing capabilities: https://pause.perl.org/pause/authenquery?ACTION=add_user&USERID=2541_b4b81df97d9d5710&SUBMIT_pause99_add_user_sub=1 Immediate (one click) registration: https://pause.perl.org/pause/authenquery?ACTION=add_user&USERID=2541_b4b81df97d9d5710&SUBMIT_pause99_add_user_Definitely=1
Welcome new user RAFORG
Welcome Raf Esq., PAUSE, the Perl Authors Upload Server, has a userid for you: RAFORG Once you've gone through the procedure of password approval (see the separate mail you should receive about right now), this userid will be the one that you can use to upload your work or edit your credentials in the PAUSE database. This is what we have stored in the database now: Name: Raf Esq. email: CENSORED homepage: Please note that your email address is exposed in various listings and database dumps. You can register with both a public and a secret email if you want to protect yourself from SPAM. If you want to do this, please visit https://pause.perl.org/pause/authenquery?ACTION=edit_cred or http://pause.perl.org/pause/authenquery?ACTION=edit_cred If you need any further information, please visit $CPAN/modules/04pause.html. If this doesn't answer your questions, contact modules@perl.org. Before uploading your first module, we strongly encourage you to discuss your module idea on PrePAN at http://prepan.org/ to get feedback from experienced Perl developers. Thank you for your prospective contributions, The Pause Team
Welcome new user RRYLEY
Welcome Robert Ryley, PAUSE, the Perl Authors Upload Server, has a userid for you: RRYLEY Once you've gone through the procedure of password approval (see the separate mail you should receive about right now), this userid will be the one that you can use to upload your work or edit your credentials in the PAUSE database. This is what we have stored in the database now: Name: Robert Ryley email: CENSORED homepage: Please note that your email address is exposed in various listings and database dumps. You can register with both a public and a secret email if you want to protect yourself from SPAM. If you want to do this, please visit https://pause.perl.org/pause/authenquery?ACTION=edit_cred or http://pause.perl.org/pause/authenquery?ACTION=edit_cred If you need any further information, please visit $CPAN/modules/04pause.html. If this doesn't answer your questions, contact modules@perl.org. Before uploading your first module, we strongly encourage you to discuss your module idea on PrePAN at http://prepan.org/ to get feedback from experienced Perl developers. Thank you for your prospective contributions, The Pause Team
User update for RRYLEY
Record update in the PAUSE users database: userid: [RRYLEY] fullname: [Robert Ryley] asciiname: [] email: [CENSORED] homepage: [] cpan_mail_alias: [secr] was [none] ustatus: [unused] Data were entered by RRYLEY (Robert Ryley). Please check if they are correct. Thanks, The Pause
User update for DRCLAW
Record update in the PAUSE users database: userid: [DRCLAW] fullname: [Ruben Westerberg] asciiname: [] email: [CENSORED] homepage: [] cpan_mail_alias: [secr] was [none] Data were entered by DRCLAW (Ruben Westerberg). Please check if they are correct. Thanks, The Pause
PAUSE ID request (CATZHENG; zheng he)
Request to register new user fullname: zheng he userid: CATZHENG mail: CENSORED homepage: why: for perl learning Intermediate Perl The following links are only valid for PAUSE maintainers: Registration form with editing capabilities: https://pause.perl.org/pause/authenquery?ACTION=add_user&USERID=9541_69403c90f5fee391&SUBMIT_pause99_add_user_sub=1 Immediate (one click) registration: https://pause.perl.org/pause/authenquery?ACTION=add_user&USERID=9541_69403c90f5fee391&SUBMIT_pause99_add_user_Definitely=1
Re: CPAN - rationalising first-come permissions on XML-Feed
I haven't done any work on XML::Feed since I worked at Six Apart and I have no plans to do any in the future. >From my end I have no problems handing maintainership off to Dave but the module was originally Ben's and I don't want to speak for him. On Sun, Jul 26, 2020 at 11:42:32PM +0100, Neil Bowers said: >Hi CPAN authors BTROTT, MSTROUT, SIMONW, and DAVECROSS, >I’m one of the PAUSE admins; I’m working through distributions where >multiple people have first-come permissions on different >packages. These days PAUSE tries to ensure that the lead author retains >first-come on all packages, regardless of who first releases them[1]. >For the XML-Feed distribution, BTROTT has first-come on some modules, >SIMONW on others, and MSTROUT on one other. But DAVECROSS has done all >the releases since 2011. >So I wonder if the best solution would be to give DAVECROSS first-come >on all packages, and the rest of your would have co-maint. Everyone ok >with that? >Cheers, >Neil >[1] [https://neilb.org/2020/07/24/inconsistent-permissions.html]https:/ >/neilb.org/2020/07/24/inconsistent-permissions.html
Re: CPAN: Ownership of the XML-XPathScript modules
Yeah totally fine by me. Do I need to do anything in pause? > On Jul 24, 2020, at 5:57 PM, Chris Prather wrote: > > > I talked to Matt via Facebook about handing over his XML modules > (Specifically XML::Parser) which is why I have first come I suspect now. I > wanted to make sure that they had people who were still interested in XML and > Perl shepherding them and I was happy to be that person. > > I'm entirely ok with Yanick taking it if he's happy with that or with > Dominique taking it if they prefer. Otherwise I'm happy to shepherd it as > well. Basically whatever everyone else wants to do as long as they don't fall > into ADOPTME I'm good with :) > > -Chris > >> On Fri, Jul 24, 2020 at 3:53 PM Dominique Quatravaux >> wrote: >> I am DOMQ and I approve of this plan. >> >> -- >> Dominique Quatravaux >> domini...@quatravaux.org >> >>> Le ven. 24 juil. 2020 à 21:34, Neil Bowers a >>> écrit : >>> Hi, >>> >>> I’m one of the PAUSE admins, and I’m emailing you wearing that hat. >>> >>> The XML-XPathScript distribution was originally created by Matt; Dominique >>> then did 5 releases; since 2005 Yanick has done 24 releases. Chris >>> (PERIGRIN) doesn’t seem to have done any releases, but he has the >>> first-come indexing permission on the lead module (XML::XPathScript), and >>> YANICK has first-come on the others. The rest of you have co-maint on the >>> (other) modules. >>> >>> The fractured ownership means that no single person could grant co-maint to >>> someone else, or transfer ownership to a new maintainer. PAUSE tries hard >>> now to not this happen[1], so I’m tidying up the historical cases. >>> >>> The default rule is that whoever has first-come on the lead module should >>> get it on the rest, but I suspect here that it would make more sense for >>> YANICK to get first-come on XML::XPathScript — is that ok? >>> >>> Cheers, >>> Neil >>> >>> [1] http://neilb.org/2020/07/24/inconsistent-permissions.html
User update for RAFORG
Record update in the PAUSE users database: userid: [RAFORG] fullname: [raf] was [Raf Esq.] asciiname: [] email: [CENSORED] homepage: [] cpan_mail_alias: [secr] ustatus: [unused] Data were entered by RAFORG (Raf Esq.). Please check if they are correct. Thanks, The Pause
User update for RAFORG
Record update in the PAUSE users database: userid: [RAFORG] fullname: [Raf Esq.] asciiname: [] email: [CENSORED] homepage: [] cpan_mail_alias: [secr] was [none] ustatus: [unused] Data were entered by RAFORG (Raf Esq.). Please check if they are correct. Thanks, The Pause
User update for RAFORG
Record update in the PAUSE users database: userid: [RAFORG] fullname: [raf] asciiname: [] email: [CENSORED] homepage: [] cpan_mail_alias: [secr] ustatus: [unused] Data were entered by RAFORG (raf). Please check if they are correct. Thanks, The Pause
Malicious module on CPAN
Not found by me but I'm not sure if anyone else has reported this yet. It was discussed in magnet#toolchain earlier today and brought forth by mst on who to contact about it. It looks like Module::AutoLoad is running malicious code fetched from http://r.cx/, it might have originally been non-malicious but it appears to either be some kind of rootkit or iphone jailbreak or something currently. The trigger itself seems to be this test running: https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t This appears to have been known about for a few years by some people but it's the first I'm seeing about it: https://stackoverflow.com/questions/35212843/perl-understanding-botstrap Below is the entire conversation from IRC about the discovery adsf 18:17:47 < haarg> regarding potentially malicious code on cpan 18:17:49 < haarg> https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t 18:18:40 < Grinnz> oh god 18:19:02 < haarg> let me know if you figure out what it does 18:19:17 < Grinnz> i've figured out enough to wonder what the fuck this is doing here 18:19:32 < ether> what it *wants* to do is take the location of the current .t file, go up one dir and find contrib/RCX.pl and then run that script 18:19:32 < haarg> it's like 5 steps of insanity, most of which involve evaling code read straight off a random internet server 18:19:45 < haarg> yeah, now look at that script 18:19:47 < Grinnz> ether: yeah that script is where the scary part starts 18:20:26 * ether ಠ_ಠ 18:20:27 < Grinnz> also: 82.46.99.88.":1" 18:20:43 < Grinnz> ... this is concatenating a vstring with a string 18:20:48 < Grinnz> how would that ever work 18:21:14 < ether> I wonder what used to be at 82.46.99.88 18:22:09 < haarg> https://perlbot.pl/p/1133d2 18:22:29 < ether> he's up front about it being black magic in the docs 18:22:35 < ether> but this shit should have never been put on cpan 18:22:55 < Grinnz> "botstrap" is also cute 18:23:03 < haarg> it's not just "black magic" it's "active remote exploit" 18:23:52 < Grinnz> mst / klapperl ^ 18:24:06 < haarg> this is the eval: https://perlbot.pl/p/ui358q 18:24:12 < veesh> wow, that is not acceptable 18:24:17 < haarg> the unpack i mean 18:25:24 < haarg> next step: https://perlbot.pl/p/o1lk67 18:26:15 < haarg> next step: https://perlbot.pl/p/gkoxmt 18:26:52 < Grinnz> fyi that has been there since the first release of that dist in 2011 18:27:10 < Grinnz> though with different ips 18:30:03 < ether> 82.46.99.88.":1" = R.cX:1 18:30:11 < Grinnz> oh dear god 18:30:22 < Grinnz> so it's a vstring and not an ip at all 18:30:23 < ether> what does IO::Socket::INET do with that? is :1 a port number? 18:30:26 < Grinnz> yes 18:30:49 < ether> I missed haarg's first paste, https://perlbot.pl/p/1133d2 - that makes it more clear :) 18:30:56 < ether> jfc 18:31:08 < ether> burn it with fire 18:31:29 < haarg> i haven't traced the next step because it's pain to decode without running the whole thing 18:33:07 < veesh> https://stackoverflow.com/questions/35212843/perl-understanding-botstrap 18:35:21 < ether> I wonder if those guys ever did report this to modules@perl.org 18:35:25 < ether> narrator: they did not. 18:36:12 < ether> I don't see how r.cx could have been hacked and these eval chains still work 18:36:17 < ether> therefore, this was all intentional 18:36:29 < ether> burn it all down and bury this guy at sea 18:36:42 < ether> mst: would you agree? 18:38:44 < veesh> i just noticed now that the OP on the SO question was asking how to port the code to python 18:39:00 < veesh> i'm glad that all those people left perl 20 years ago 18:43:10 * Grinnz commented on the SO answer with some non-malicious solutions to this problem 18:44:59 * ether flagged for moderator attention to get it taken down 18:45:56 < haarg> i'm not having any luck tracing what the code does further than what i posted so far 18:46:07 < haarg> i need a VM or something 18:30:56 < ether> jfc 18:31:08 < ether> burn it with fire 18:31:29 < haarg> i haven't traced the next step because it's pain to decode without running the whole thing 18:33:07 < veesh> https://stackoverflow.com/questions/35212843/perl-understanding-botstrap 18:35:21 < ether> I wonder if those guys ever did report this to modules@perl.org 18:35:25 < ether> narrator: they did not. 18:36:12 < ether> I don't see how r.cx could have been hacked and these eval chains still work 18:36:17 < ether> therefore, this was all intentional 18:36:29 < ether> burn it all down and bury this guy at sea 18:36:42 < ether> mst: would you agree? 18:38:44 < veesh> i just noticed now that the OP on the SO question was asking how to port the code to python 18:39:00 < veesh> i'm glad that all those people left perl 20 years ago 18:43:10 * Grinnz commented on the SO answer with some non-malicious solutions to this problem 18:44:59 * ether flagged for moderator attention to get it taken down 18:45:56 < haarg> i'm not having any luck tracing what the code does further than what i posted so far 1
Re: Malicious module on CPAN
Resending with the right email for andk, blame mst for that. On Mon, Jul 27, 2020 at 7:07 PM Ryan Voots wrote: > Not found by me but I'm not sure if anyone else has reported this yet. It > was discussed in magnet#toolchain earlier today and brought forth by mst on > who to contact about it. > > It looks like Module::AutoLoad is running malicious code fetched from > http://r.cx/, it might have originally been non-malicious but it appears > to either be some kind of rootkit or iphone jailbreak or something > currently. > > The trigger itself seems to be this test running: > https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t > > This appears to have been known about for a few years by some people but > it's the first I'm seeing about it: > https://stackoverflow.com/questions/35212843/perl-understanding-botstrap > > Below is the entire conversation from IRC about the discovery > > > adsf > 18:17:47 < haarg> regarding potentially malicious code on cpan > 18:17:49 < haarg> > https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t > 18:18:40 < Grinnz> oh god > 18:19:02 < haarg> let me know if you figure out what it does > 18:19:17 < Grinnz> i've figured out enough to wonder what the fuck this is > doing here > 18:19:32 < ether> what it *wants* to do is take the location of the > current .t file, go up one dir and find contrib/RCX.pl and then run that > script > 18:19:32 < haarg> it's like 5 steps of insanity, most of which involve > evaling code read straight off a random internet server > 18:19:45 < haarg> yeah, now look at that script > 18:19:47 < Grinnz> ether: yeah that script is where the scary part starts > 18:20:26 * ether ಠ_ಠ > 18:20:27 < Grinnz> also: 82.46.99.88.":1" > 18:20:43 < Grinnz> ... this is concatenating a vstring with a string > 18:20:48 < Grinnz> how would that ever work > 18:21:14 < ether> I wonder what used to be at 82.46.99.88 > 18:22:09 < haarg> https://perlbot.pl/p/1133d2 > 18:22:29 < ether> he's up front about it being black magic in the docs > 18:22:35 < ether> but this shit should have never been put on cpan > 18:22:55 < Grinnz> "botstrap" is also cute > 18:23:03 < haarg> it's not just "black magic" it's "active remote exploit" > 18:23:52 < Grinnz> mst / klapperl ^ > 18:24:06 < haarg> this is the eval: https://perlbot.pl/p/ui358q > 18:24:12 < veesh> wow, that is not acceptable > 18:24:17 < haarg> the unpack i mean > 18:25:24 < haarg> next step: https://perlbot.pl/p/o1lk67 > 18:26:15 < haarg> next step: https://perlbot.pl/p/gkoxmt > 18:26:52 < Grinnz> fyi that has been there since the first release of that > dist in 2011 > 18:27:10 < Grinnz> though with different ips > 18:30:03 < ether> 82.46.99.88.":1" = R.cX:1 > 18:30:11 < Grinnz> oh dear god > 18:30:22 < Grinnz> so it's a vstring and not an ip at all > 18:30:23 < ether> what does IO::Socket::INET do with that? is :1 a port > number? > 18:30:26 < Grinnz> yes > 18:30:49 < ether> I missed haarg's first paste, > https://perlbot.pl/p/1133d2 - that makes it more clear :) > 18:30:56 < ether> jfc > 18:31:08 < ether> burn it with fire > 18:31:29 < haarg> i haven't traced the next step because it's pain to > decode without running the whole thing > 18:33:07 < veesh> > https://stackoverflow.com/questions/35212843/perl-understanding-botstrap > 18:35:21 < ether> I wonder if those guys ever did report this to > modules@perl.org > 18:35:25 < ether> narrator: they did not. > 18:36:12 < ether> I don't see how r.cx could have been hacked and these > eval chains still work > 18:36:17 < ether> therefore, this was all intentional > 18:36:29 < ether> burn it all down and bury this guy at sea > 18:36:42 < ether> mst: would you agree? > 18:38:44 < veesh> i just noticed now that the OP on the SO question was > asking how to port the code to python > 18:39:00 < veesh> i'm glad that all those people left perl 20 years ago > 18:43:10 * Grinnz commented on the SO answer with some non-malicious > solutions to this problem > 18:44:59 * ether flagged for moderator attention to get it taken down > 18:45:56 < haarg> i'm not having any luck tracing what the code does > further than what i posted so far > 18:46:07 < haarg> i need a VM or something > 18:30:56 < ether> jfc > 18:31:08 < ether> burn it with fire > 18:31:29 < haarg> i haven't traced the next step because it's pain to > decode without running the whole thing > 18:33:07 < veesh> > https://stackoverflow.com/questions/35212843/perl-understanding-botstrap > 18:35:21 < ether> I wonder if those guys ever did report this to > modules@perl.org > 18:35:25 < ether> narrator: they did not. > 18:36:12 < ether> I don't see how r.cx could have been hacked and these > eval chains still work > 18:36:17 < ether> therefore, this was all intentional > 18:36:29 < ether> burn it all down and bury this guy at sea > 18:36:42 < ether> mst: would you agree? > 18:38:44 < veesh> i just noticed now that the OP on the SO question was > asking how to port the code to python > 18:39:00 < veesh> i'm glad that a
Re: CPAN: Ownership of the XML-XPathScript modules
> Yeah totally fine by me. Do I need to do anything in pause? Nope, it’s all been sorted now — thanks. Neil
