2024.02.10 in #655Vulnerable Perl Spreadsheet Parsing modules
Between Dec 2023 and Jan 2024, vulnerabilities in Spreadsheet::ParseExcel and Spreadsheet::ParseXLSX were reported to the CPAN Security Group (CPANSec). This document describes the timeline and analysis of events.
2024.05.06 in #668Perl Toolchain Summit 2024 - Lisbon
Nice to hear the work done by CPANSec Group. We are happy to see members are actively working on the security aspect.
2026.05.06 in #772Perl Toolchain Summit 2026 - Vienna
According to Timothy Legge, there was an effective meeting; the purpose of this summit was to develop the CPAN Security Group (CPANSec) into a CVE Numbering Authority and improve the security disclosure process for maintainers of CPAN modules. An example of a technical outcome resulting from the summit was the inclusion of signature function support in the distribution of Crypt::OpenSSL::RSA as well as the decision to deprecate Module::Signature in favour of more modern integrity checks.
2026.05.07 in #772Signing CPAN Releases with SigStore
Timothy Legge describes a contemporary way of achieving security in the Perl ecosystem with the implementation of Sigstore to sign CPAN Releases. This post describes how we will transition from using traditional GPG signatures to shorter and easier to obtain certificates, while providing a clear roadmap to assist maintainers (and others) in adopting "keyless" signing and enhancing supply chain security.
If you are not yet subscribed, you can do it now. Free of charge:
Just ONE e-mail each Monday. Easy to unsubscribe. No spam. Your e-mail address is safe.
This newsletter is about the Perl Programming languages.