Re: Open source archives hosting malicious software packages
On Fri, 22 Sep 2017 01:00:22 +1200 Kent Fredric wrote: > On 22 September 2017 at 00:11, David Cantrell > wrote: > > > But is anyone paying attention? I assume you're talking about > > #cpantesters, which I'm on, but I hardly ever look at it, and when > > I do look I certainly don't look at scrollback, let alone looking at > > scrollback *carefully*. > > It gets duty on freenode #perl too, and its not uncommon for people > like me to glance at https://metacpan.org/recent ( usually to see > something and regret looking ) Yeah, freenode/#perl is the one I was referring to - 500+ sets of eyeballs (although how many of them are people likely to recognise typo-squatting of popular modules and go check them out I don't know). Certainly agree that something that automatically flags up anything suspicious-looking would be good - to a mailing list would have the benefit of not being missed if nobody was looking at the time. I'd certainly be happy enough to sit on such a mailing list and help check anything dodgy-looking.
Re: Open source archives hosting malicious software packages
On Wed, 20 Sep 2017 18:08:34 -0400 James E Keenan wrote: > On 09/20/2017 06:01 PM, Neil Bowers wrote: > > One thing we could do is have a tool looking at newly registered > > package names and alert the PAUSE admins to have a look at any that > > are a short edit distance from an existing package name. > > Would anyone know of any prior art for detection of "short edit > distances"? (Perhaps even already on CPAN?) Isn't that just the Levenshtein distance? So e.g. Neil's Text::Levenshtein? One thing I thing is good to consider is the fact that all CPAN releases get announced on a quite populated IRC channel, increasing the chance of someone spotting a release announcement and thinking "hmm, that looks dodgy" - but that's of course not entirely reliable, and doesn't focus only on new releases.
Re: Compare functions in two versions of a CPAN distro
On Sat, 07 Feb 2015 10:47:11 -0500 James E Keenan wrote: > Does there exist already a program to compare the performance of a > function between two different versions of the CPAN distribution? [...] > I suspect that with effort I could write such a program, but it > sounds like the sort of thing that someone on cpan.workers would > already have written. Personally, I'd just use a simple benchmark script that loads the module and benchmarks the desired function(s), then run it twice, with $PERL5LIB pointed for it to find the appropriate version each time (most easily - pointed at a git checkout which I switch between release branches in between runs of the benchmark script, alternatively just pointed at two different dirs containing different versions). -- David Precious ("bigpresh") http://www.preshweb.co.uk/ www.preshweb.co.uk/twitter www.preshweb.co.uk/linkedinwww.preshweb.co.uk/facebook www.preshweb.co.uk/cpanwww.preshweb.co.uk/github
Re: new instant mirroring client
On Thursday 16 June 2011 11:20:08 Henk P. Penning wrote: >at best, 'iim' could be an alternative for 'rrr-client' ; >it is just another rrr client ; it is not a replacement >for anything. > >If/when 'iim' is tested a little more (and everybody likes it :-), >then 'iim' could be mentioned on the 'instant mirroring' page >as an alternative for 'rrr-client'. > >For now, I would just really appreciate some feedback on 'iim'. Fair enough - I'm already testing rrr-client (and finding it to work well), so when I have sufficient tuits of circular shape, I'll try out iim alongside and offer any feedback I can. Incidentally, I've not seen any reports on the progress of instant mirroring for a bit - have I mised anything? Cheers Dave P -- David Precious Outsource Development Manager, UK2.NET Be friends with UK2 - http://www.uk2.net/twitter | http://www.uk2.net/facebook
Re: Trimming the CPAN - "Automatic Purging"
On Thursday 01 April 2010 05:39:27 David Nicol wrote: > On Wed, Mar 31, 2010 at 7:43 AM, Ask Bjørn Hansen wrote: > > The main point here is that we can't use 20 inodes per distribution. > > so don't. How much reengineering would be needed to keep CPAN in a > database instead of a file system? It'd mean each and every mirror operator changing how they sync their mirrors, and how access is provided... Currently, it's dead simple to sync a copy of CPAN via rsync, offer it up via whatever combination of HTTP, FTP and rsync you prefer, and job done - you're doing a valuable public service by offering a CPAN mirror. Make that process a lot harder (setting up database replication, custom scripts, etc etc) and a lot of people just won't do it. There's a lot to be said for keeping things simple. (FWIW, I run mirrors.uk2.net, and appreciated the fact it was simple and easy to get a mirror up and running without investing much time at all. Personally, I have no real problem with the current size of CPAN or the overhead of updating via rsync, but that's just my opinion.) Cheers Dave P