Perl's CPAN Security Group is Now a CNA, Can Assign CVEs (perlmonks.org)
(Saturday March 01, 2025 @05:34PM (EditorDavid)
from the more-than-one-way-to-do-it dept.)
- Reference: 0176576813
- News link: https://developers.slashdot.org/story/25/03/01/0548217/perls-cpan-security-group-is-now-a-cna-can-assign-cves
- Source link: https://www.perlmonks.org/?node_id=11164086
Active [1]since 1995 , the Comprehensive Perl Archive Network (or CPAN) hosts 221,742 Perl modules written by 14,548 authors. This week they announced that the CPAN Security Group " [2]was authorized by the CVE Program as a CVE Numbering Authority (CNA) " to assign and manage CVE vulnerability identifications for Perl and CPAN Modules.
"This is great news!" [3]posted Linux kernel maintainer Greg Kroah-Hartman on social media, saying the announcement came "Just in time for my [4]talk about this very topic in a few weeks about how all open source projects should be doing this" at the Linux Foundation Member Summit in Napa, California. And Curl creator Daniel Stenberg [5]posted "I'm with Greg Kroah-Hartman on this: all Open Source projects should become CNAs. Or team up with others to do it." (Also posting "Agreed" to the suggestion was Seth Larson, the Python Software Foundation's security developer-in-residence involved in their successful effort to [6]become a CNA in 2023 .)
444 CNAs have now partnered with the CVE Program, according to [7]their official web site . [8]The announcement from PerlMonks.org :
> Years ago, a few people decided during the Perl Toolchain Summit (PTS) that it would be a good idea to join forces, ideas and knowledge and start a group to monitor vulnerabilities in the complete Perl ecosystem from core to the smallest CPAN release. The goal was to follow legislation and CVE reports, and help authors in taking actions on not being vulnerable anymore. That group has grown stable over the past years and is now known as [9]CPANSec .
>
> The group has several focus areas, and one of them is channeling CVE vulnerability issues. In that specific goal, a milestone has been reached: CPANSec has just been [10]authorized as a CVE Numbering Authority (CNA) for Perl and modules on CPAN
[1] https://history.perl.org/PerlTimeline.html
[2] https://security.metacpan.org/2025/02/25/cpansec-is-cna-for-perl-and-cpan.html
[3] https://social.kernel.org/notice/ArVZABx01vuqYHCCky
[4] https://lfms25.sched.com/event/1urXE/take-control-over-your-projects-cve-entries-before-someone-else-does-greg-kroah-hartman-linux-foundation
[5] https://mastodon.social/@bagder/114069838710278641
[6] https://pyfound.blogspot.com/2023/08/psf-authorized-as-cna.html
[7] https://www.cve.org/Media/News/item/news/2025/02/25/CPAN-Security-Group-Added-as-CNA
[8] https://www.perlmonks.org/?node_id=11164086
[9] https://security.metacpan.org/
[10] https://security.metacpan.org/2025/02/25/cpansec-is-cna-for-perl-and-cpan.html
"This is great news!" [3]posted Linux kernel maintainer Greg Kroah-Hartman on social media, saying the announcement came "Just in time for my [4]talk about this very topic in a few weeks about how all open source projects should be doing this" at the Linux Foundation Member Summit in Napa, California. And Curl creator Daniel Stenberg [5]posted "I'm with Greg Kroah-Hartman on this: all Open Source projects should become CNAs. Or team up with others to do it." (Also posting "Agreed" to the suggestion was Seth Larson, the Python Software Foundation's security developer-in-residence involved in their successful effort to [6]become a CNA in 2023 .)
444 CNAs have now partnered with the CVE Program, according to [7]their official web site . [8]The announcement from PerlMonks.org :
> Years ago, a few people decided during the Perl Toolchain Summit (PTS) that it would be a good idea to join forces, ideas and knowledge and start a group to monitor vulnerabilities in the complete Perl ecosystem from core to the smallest CPAN release. The goal was to follow legislation and CVE reports, and help authors in taking actions on not being vulnerable anymore. That group has grown stable over the past years and is now known as [9]CPANSec .
>
> The group has several focus areas, and one of them is channeling CVE vulnerability issues. In that specific goal, a milestone has been reached: CPANSec has just been [10]authorized as a CVE Numbering Authority (CNA) for Perl and modules on CPAN
[1] https://history.perl.org/PerlTimeline.html
[2] https://security.metacpan.org/2025/02/25/cpansec-is-cna-for-perl-and-cpan.html
[3] https://social.kernel.org/notice/ArVZABx01vuqYHCCky
[4] https://lfms25.sched.com/event/1urXE/take-control-over-your-projects-cve-entries-before-someone-else-does-greg-kroah-hartman-linux-foundation
[5] https://mastodon.social/@bagder/114069838710278641
[6] https://pyfound.blogspot.com/2023/08/psf-authorized-as-cna.html
[7] https://www.cve.org/Media/News/item/news/2025/02/25/CPAN-Security-Group-Added-as-CNA
[8] https://www.perlmonks.org/?node_id=11164086
[9] https://security.metacpan.org/
[10] https://security.metacpan.org/2025/02/25/cpansec-is-cna-for-perl-and-cpan.html
Before I retired (Score:2)
by rossdee ( 243626 )
I was a Certified Nursing Assistant (CNA)
And during WWII a CVE was an "Escort Carrier" in the US Navy
Re: (Score:2)
by 93 Escort Wagon ( 326346 )
Yo, Dawg, I could put an escort in my Escort and load it onto an Escort Carrier!
Maybe people would have cared 20 years ago (Score:2)
But Perl is more or less legacy now, few organisations would start a new project in it. Python has eaten its lunch (and breakfast and dinner) about as comprehensively as is possible.
Re: (Score:3)
That was my first thought as well - and I say that as a perl user.
But I will also point out that, if you pay attention, perl still pops up in some surprising places. If you do IT professionally and live in the Unix world, you'll find it's underneath some of the tools you rely on every day.
And to round it out, here's a relevant XKCD: [1]https://www.explainxkcd.com/wi... [explainxkcd.com]
[1] https://www.explainxkcd.com/wiki/index.php/224:_Lisp