Perl whipupitude to the rescue

Reading time: 2 minutes

It’s been widely posted by now that 50,000 or so cleartext user names, email addresses and passwords were compromised from Perl Monks. Yesterday, as the news broke, a discussion started on IRC about how to respond. As some were debating hashing the exposed passwords and checking against other Perl community sites and various other remedies, I suggested that at a minimum, CPAN authors be notified so that they could change their PAUSE passwords if needed.

As the discussion swirled, I grabbed two modules from CPAN, whipped up a short script to email a warning to all CPAN authors and emailed it to Andreas, who manages CPAN & PAUSE. The elapsed time from concept to the email to Andreas, using two modules I’d never used before, including a test to my own email account, was probably 15 minutes. Andreas picked it up a couple hours later and started emailing CPAN Authors.

Here is the entire script:

#!/usr/bin/env perl
use 5.010;
use strict;
use warnings;
use Parse::CPAN::Authors;
use Email::Stuff;

my $mailrc = shift @ARGV;
die "usage: $0 <mailrc>\n" unless $mailrc && -f $mailrc;

my $pca = Parse::CPAN::Authors->new($mailrc);

my $body = << 'END_MAIL';
Dear CPAN author,

This email is being sent to inform you that all passwords on the popular
Perl Monks website were compromised.  Many CPAN authors have accounts
there and in some cases have used the same password for PAUSE.

If you have any reason to suspect that your PAUSE account password
is no longer secure, please visit http://pause.cpan.org/ and change it.

If your PAUSE account is not affected, please disregard this message and
accept apologies for the unsolicited email.

Regards,
PAUSE Administrators
END_MAIL

for my $author ( $pca->authors ) {
  Email::Stuff->from     ('module@perl.org'                  )
              ->to       ($author->pauseid . '@cpan.org'     )
              ->subject  ("Perl Monks compromised, PAUSE accounts at risk")
              ->text_body($body                              )
              ->send;
}

(If you're a CPAN Author, the text should be familiar to you as you either got it yesterday, don't have a current email address on PAUSE, or it got caught in your spam folder.)

So even as the community appreciates the value of "modern" Perl, it's good to remember that Perl and CPAN still rock when you need a quick solution to a problem.

•      •      •

If you enjoyed this or have feedback, please let me know by or