Slide 1

Slide 1 text

Recent PAUSE Changes Kenichi Ishigaki @charsbar PerlCon 2019 Aug 7, 2019

Slide 2

Slide 2 text

me • DBD::SQLite • JSON/JSON::PP • Perl::PrereqScanner::NotQuiteLite • CPANTS • CPAN::Groonga • PAUSE on Mojolicious

Slide 3

Slide 3 text

Perl Toolchain Summit (formerly known as Perl QA Hackathon) 2019 Sponsors Booking.com, cPanel, MaxMind, FastMail, ZipRecruiter, Cogendo, Elastic, OpenCage Data, Perl Services, Zoopla, Archer Education, OpusVL, Oetiker+Partner, SureVoIP, YEF

Slide 4

Slide 4 text

PAUSE has been a hot topic

Slide 5

Slide 5 text

• The Perl programming Authors Upload SErver • The back stage entrance to the CPAN • Written by Andreas König in 1995 • Generates indices of authors/packages What's PAUSE?

Slide 6

Slide 6 text

• Its UI was (last) overhauled in 1999 • It may look old-fashioned compared with other portals including MetaCPAN or modules.perl6.org • Things around us has been changing PAUSE has been serving us well for a long time

Slide 7

Slide 7 text

0 500 1000 1500 2000 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Active authors Authors with new releases PAUSE itself can't stop our downtrend 0 200 400 600 800 1000 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 New authors New active authors

Slide 8

Slide 8 text

Maybe we can help a little • to make it easier to transfer abandoned modules to someone • to show beginners how to make a release (PAUSE has some under "About PAUSE" section)

Slide 9

Slide 9 text

Growing pains • PAUSE used to list everything on a single page • This may not have been a problem before • Too many checkboxes for some authors (150 authors have or had 50+ distributions, and 50+ authors have or had 100+ dists now)

Slide 10

Slide 10 text

External PAUSE Tools but shouldn't it be better to fix PAUSE? (plus a few uploaders and scripts, etc) App::pause PERLANCAR App::PAUSE::CheckPerms NEILB App::PAUSE::cleanup YANICK App::PAUSE::Comaint MIYAGAWA Pcore::API::PAUSE ZDM WWW::PAUSE::CleanUpHomeDir ZOFFIX WWW::PAUSE::Simple PERLANCAR

Slide 11

Slide 11 text

PAUSE on Plack (2015~16) • Replaced mod_perl/Apache with Plack/Starman (2015) • Went into production (2016) • Occasional stability issue(s) (~2019?)

Slide 12

Slide 12 text

PAUSE on Mojolicious (2017~19) • Big rewrite for templates and plugins (2017) • Went into produciton from my mojo_wip branch (2018) • Fell back to PAUSE on Plack sometimes (2018) • Merged into master (2019)

Slide 13

Slide 13 text

Markdown rendering (2018) • Made it easier to add new documents • PAUSE Operating Model • Privacy Policy • More to come

Slide 14

Slide 14 text

From XHTML to HTML5 (2018) • No more table layout • Min.css just for grid layout • Not optimized yet New UI mockup by Babs Veloso (Not implemented yet)

Slide 15

Slide 15 text

JavaScript for Paging/Filtering (2018) • No time for a real pager • List.js

Slide 16

Slide 16 text

How many items in a page? • 100 items per page was too small for Mojolicious, DBIx::Class etc. • Increased to 300 for the time being • How can we help distributions with thousands of modules?

Slide 17

Slide 17 text

Permission management per distribution (2019) Transfer everything in a distribution with one check

Slide 18

Slide 18 text

No more partial transfer Filtering by "Starman" module was not enough because Starman contains a module under a different namespace (HTTP::Server::PSGI::Net::Server::PreFork)

Slide 19

Slide 19 text

Incomplete ownership • Distributions may be owned by multiple owners (because a new contributor releases a new module without specifying x-authority, or because of partial transfer) • If you want to be a new contributor, you (usually) need to ask all of the owners for permission

Slide 20

Slide 20 text

"Permission manager" permission • Formerly known as "Admin" permission • To let someone grant permissions to someone else without giving up your owner rights • Permission manager needs to know new modules added by others, but how? • Discussed but not implemented yet

Slide 21

Slide 21 text

reCAPTCHA (2018) • ID requests used to be approved by the PAUSE admins, but this process takes time • 25% of new users release their first distribution on the day of approval • David Golden introduced reCAPTCHA to eliminate this delay and admins' burden

Slide 22

Slide 22 text

Abused by spammer(s) It's disabled now

Slide 23

Slide 23 text

Exposed user status (2019) • For other CPAN services to remove/hide spammers' information • We may need "system" status as well for special users (ADOPTME etc)

Slide 24

Slide 24 text

GDPR: Right to be forgotten • You can't delete your account if you have uploaded something • You can empty most of your personal data by yourself • We started hiding data of deleted accounts (2019) • More to come

Slide 25

Slide 25 text

OAuth2 as authorization • Lee Johnson made a branch for this • For ACT users to allow ACT to use their personal data • ... but almost everything is exposed via indices now • Providing official API would be nice • (Ab)use for user verification for RT/MetaCPAN?

Slide 26

Slide 26 text

CSRF protection (2018) • Mojolicious::Plugin::WithCSRFProtection • Some of the pages are protected now

Slide 27

Slide 27 text

Multi-factor Auth • Recent account hijackings for other portals (rubygems, npm) • Not implemented yet but we should • As long as other CPAN clients/services support this • https://github.com/andk/pause/issues/292

Slide 28

Slide 28 text

Perl6 indices • Actually there are two indices (+ empty one) for Perl 6 • modules.perl6.org is making its own indices # CPAN/authors/p6dists.json.gz { "A/AK/AKIYM/Perl6/JSON-Hjson-0.0.1.tar.gz" : { "name" : "JSON::Hjson", "auth" : "AKIYM", "ver" : "0.0.1" }, ... } # CPAN/authors/p6provides.json.gz { "Math::Random" : [ "P/PS/PSIXDISTS/Perl6/Math-Random-0.000.001.tar.gz" ], "Math::FFT::Libfftw3::Exception" : [ "F/FR/FRITH/Perl6/Math-FFT-Libfftw3-0.1.1.tar.gz", "F/FR/FRITH/Perl6/Math-FFT-Libfftw3-0.1.2.tar.gz", "F/FR/FRITH/Perl6/Math-FFT-Libfftw3-0.1.3.tar.gz" ], ... }

Slide 29

Slide 29 text

Transferring Perl6 modules • Currently there's no permission management for Perl6 modules • Just author(s), instead of P5's first-come + contributors? • ADOPTME/HANDOFF/NEEDHELP/NOXFER?

Slide 30

Slide 30 text

Other changes • Ricardo Signes and Neil Bowers finished their efforts to make PAUSE indices case insensitive • Slaven Reziç fixed pause.cpan.org certification issue • Abandon primary permissions now means transfer to ADOPTME • Various test/logging improvements • Burp reports by Lee Johnson

Slide 31

Slide 31 text

Further reading Blog posts about PAUSE at PTS 2019 • http://blogs.perl.org/users/neilb/2019/05/pause-pts-2019.html • https://rjbs.manxome.org/rubric/entry/2116 • https://rjbs.manxome.org/rubric/entry/2117 • http://neilb.org/2019/05/01/fixing-pause-permissions.html • http://blogs.perl.org/users/kenichi_ishigaki/2019/05/perl-toolchain- summit-and-pause-permission-management-per-distribution.html PTS 2019 in general • http://act.qa-hackathon.org/pts2019/wiki?node=Blogs • http://act.qa-hackathon.org/pts2019/wiki?node=Results

Slide 32

Slide 32 text

Looking forward to your input https://github.com/andk/pause/issues

Slide 33

Slide 33 text

Thank you