It’s been widely posted by now that 50,000 or so cleartext user names, email addresses and passwords were compromised from Perl Monks. Yesterday, as the news broke, a discussion started on IRC about how to respond. As some were debating hashing the exposed passwords and checking against other Perl community sites and various other remedies, I suggested that at a minimum, CPAN authors be notified so that they could change their PAUSE passwords if needed.
As the discussion swirled, I grabbed two modules from CPAN, whipped up a short script to email a warning to all CPAN authors and emailed it to Andreas, who manages CPAN & PAUSE. The elapsed time from concept to the email to Andreas, using two modules I’d never used before, including a test to my own email account, was probably 15 minutes. Andreas picked it up a couple hours later and started emailing CPAN Authors.
Here is the entire script:
#!/usr/bin/env perl use 5.010; use strict; use warnings; use Parse::CPAN::Authors; use Email::Stuff; my $mailrc = shift @ARGV; die "usage: $0 <mailrc>\n" unless $mailrc && -f $mailrc; my $pca = Parse::CPAN::Authors->new($mailrc); my $body = << 'END_MAIL'; Dear CPAN author, This email is being sent to inform you that all passwords on the popular Perl Monks website were compromised. Many CPAN authors have accounts there and in some cases have used the same password for PAUSE. If you have any reason to suspect that your PAUSE account password is no longer secure, please visit http://pause.cpan.org/ and change it. If your PAUSE account is not affected, please disregard this message and accept apologies for the unsolicited email. Regards, PAUSE Administrators END_MAIL for my $author ( $pca->authors ) { Email::Stuff->from ('module@perl.org' ) ->to ($author->pauseid . '@cpan.org' ) ->subject ("Perl Monks compromised, PAUSE accounts at risk") ->text_body($body ) ->send; }(If you're a CPAN Author, the text should be familiar to you as you either got it yesterday, don't have a current email address on PAUSE, or it got caught in your spam folder.)
So even as the community appreciates the value of "modern" Perl, it's good to remember that Perl and CPAN still rock when you need a quick solution to a problem.