I have the following challenge: bind a code written in Go with Perl (5.12.2)

In the past I use CGO + XS and it works as a charm, however my input was a string and the output, a boolean.

Now I need to return something more sophisticated. This could be represented as a hashref, something like this:

{ 
 foo => "bar",
 status => 1,
 ids => [1,2,3],
}

All tutorials about XS explain in detail how to use with primitive types (string, integer) but I can't find a good material about hashref, and libraries that may return a hashref such as YAML::XS seems really complex. FFI solutions also often handle primitive types and I can't find a good example of hashref.

I find one way but it seems... unethical. I can generate the structure in go code and serialize it as json, passing via GCO and XS to be parsed in Perl. I know that it may works, but I'd like to find a better solution.

Unfortunately, I have a very strong requirement about performance. Without this I would like to use an REST API or gRPC to do this integration, but the impact will be severe on this case.

RMG - Run perlivp in install path

RMG - Edit commit message for step of archiving perldelta

Porting/release_managers_guide.pod: document version placeholders

I started using DEV at the suggestion of Perl Weekly, and I was quite pleased with it - until I discovered that links to dev.to are effectively "shadowbanned" on several major platforms (Reddit, Hacker News, etc.). Posts containing DEV URLs would simply not be shown to users, making it impossible to share content effectively.

To work around this, I thought I would need a way to publish my DEV articles on my own domain so I could freely share them. There are some DEV tutorials out there that explain how to consume the API using frontend frameworks like React, however I don't enjoy frontend at all and I did not want to spend much time on that.

My solution was to get a simple Perl script that builds static versions of the articles, along with an index page. A Perl 5 script will run anywhere, including an old shared linux hosting account I still keep on IONOS, and I really like the speed of static sites.

I thought this is an ideal task to start with ChatGPT. Indeed, after 10-15 mins in a few prompts I had a sort-of working solution without having to open up the API documentation, nor writing any CSS. I then spent an hour or two fixing bugs, refactoring some of the ancient-looking code and tweaking / adding features (e.g. tag index pages) - tasks that I enjoy.

Here is the result. You can find the Perl script and assets in this repo.

It will run on pretty much any Perl 5 version (tested down to 5.10) with some basic CPAN modules (LWP::UserAgent, JSON, Path::Tiny).

To use it, check the project out from the repo and specify at least your DEV user name when calling the script:

./dev_to_static.pl -u [username]

# or to also specify a target directory and name your blog:
./dev_to_static.pl -u [username] -t [directory] -title="Blog name"

Try option -h to get more help.

You can run it on your web host, or run locally and copy the resulting directory to your host.

A nightly cron can update the site with new articles.

Devel::PPPort: add compatibility entries for the new vstrings

Based on @leont's comment on #23160.

This seems to produce reasonable results:

tony@venus:.../git/perl6$ cat foo.c
SvVSTRING
tony@venus:.../git/perl6$ ./perl -Ilib dist/Devel-PPPort/ppport.h --nofilter foo.c
Scanning foo.c ...
=== Analyzing foo.c ===
Uses SvVSTRING, which depends on sv_vstring_get, SvVSTRING_mg, mg_find, PERL_MAGIC_vstring, SvMAGICAL
File needs sv_vstring_get, adding static request
Needs to include 'ppport.h'
Analysis completed
Suggested changes:
--- foo.c       2025-04-01 10:51:39.040415623 +1100
+++ foo.c.patched       2025-04-01 10:55:11.347014468 +1100
@@ -1 +1,3 @@
+#define NEED_sv_vstring_get
+#include "ppport.h"
 SvVSTRING

Storable: use SvVSTRING() from ppport.h

What's new?

• The BoolLike type constraint accepts boolean.pm booleans.
• Type::Params offers some improvements for DWIM named parameter processing.
• More shortcuts are provided for exporting parameterized versions of type constraints.

Improvements to Type::Params

If your function or method takes named arguments, the list_to_named option allows these arguments to optionally be provided positionally as a shortcut:

  package My::Company;
  
  use v5.36;
  use Moo;
  use builtin qw( true false );
  use Types::Common qw( PositiveOrZeroNum InstanceOf );
  use Type::Params qw( signature_for );
  
  ...;
   
  signature_for pay_money => (
    method => true,
    named  => [
      amount    => PositiveOrZeroNum,
      employee  => InstanceOf['Local::Person'],
    ],
    list_to_named => true,
  );
  
  sub pay_money ( $self, $arg ) {
    $self->payroll_account->withdraw( $arg->amount );
    $arg->employee->bank_account->deposit( $arg->amount );
    return $self;
  }
  
  ...;
  
  my $co = My::Company->new( ... );
  
  # Standard usage is named arguments:
  $co->pay_money( amount => 3000, employee => $alice );
  $co->pay_money( { amount => 3000, employee => $bob } );
  
  # Or provide them as positional arguments in the same order
  # they were declared in (amount then employee):
  $co->pay_money( 3000, $carol );
  
  # Or if the types are unambiguous, switch it up and provide
  # them in the wrong order instead. Still works!
  $co->pay_money( $dave, 3000 );
  
  # Or mix and match:
  $co->pay_money( $eve, amount => 3000 );
  $co->pay_money( $eve, { amount => 3000 } );
  $co->pay_money( 3000, employee => $eve );
  $co->pay_money( 3000, { employee => $eve } );

Exporting Parameterized Types

For certain parameterizable types, there are now shortcuts to export parameterized versions of them.

For example, supposing you need to deal with numeric arrayrefs quite a lot. That is, arrayrefs containing only numbers. Previously, you'd probably do something like this:

  use Types::Common qw( Num ArrayRef );
  
  ...;
  
  has favourite_numbers => ( is => 'ro', isa => ArrayRef[Num] );
  
  ...;
  
  if ( ArrayRef->of( Num )->check( \@my_array ) ) {
    ...;
  }

Now you can easily create a Nums type constraint and use it:

  use Types::Common qw( Num );
  use Types::Standard::ArrayRef Nums => { of => Num };
  
  ...;
  
  has favourite_numbers => ( is => 'ro', isa => Nums );
  
  ...;
  
  if ( is_Nums \@my_array ) {
    ...;
  }

Not all parameterizable types support this, but many of the common ones do.

I did some home-grown escaping and un-escaping of space characters in perl 5.26.1, but it does not work as expected:

I escape characters using $c = "\001" . sprintf('%002x', ord($c)), and my attempt to un-escape those in a string was s/\001([\da-f]{2})/(?{ hex($1) })/g, but it did not work:

The output contained literal (?{ hex(20) }) where a space was expected, so as if the code wasn't actually executed.

When I add an additional /e modifier, I get a syntax error near "(?".

The manual page perlre has examples only for the left side of substitute, so I wonder: Can I use code on the right side, and if so: How is it done correctly?

In case someone is wondering about the larger context: I'm trying to solve an issue similar to Perl Split String that has double quotes and space, but for single- and double-quoted strings.

My home page gives you access to:

o Perl TiddlyWiki V 1.25
o Mojolicious TiddlyWiki V 1.03
o Debian TiddlyWiki V 1.07
o Some other stuff...

What’s new?

• The BoolLike type constraint accepts boolean.pm booleans.
• Type::Params offers some improvements for DWIM named parameter processing.
• More shortcuts are provided for exporting parameterized versions of type constraints.

Improvements to Type::Params

If your function or method takes named arguments, the list_to_named option allows these arguments to optionally be provided positionally as a shortcut:

  package My::Company;

  use v5.36;
  use Moo;
  use builtin qw( true false );
  use Types::Common qw( PositiveOrZeroNum InstanceOf );
  use Type::Params qw( signature_for );

  ...;

  signature_for pay_money => (
    method => true,
    named => [
      amount => PositiveOrZeroNum,
      employee => InstanceOf['Local::Person'],
    ],
    list_to_named => true,
  );

  sub pay_money ( $self, $arg ) {
    $self->payroll_account->withdraw( $arg->amount );
    $arg->employee->bank_account->deposit( $arg->amount );
    return $self;
  }

  ...;

  my $co = My::Company->new( ... );

  # Standard usage is named arguments:
  $co->pay_money( amount => 3000, employee => $alice );
  $co->pay_money( { amount => 3000, employee => $bob } );

  # Or provide them as positional arguments in the same order
  # they were declared in (amount then employee):
  $co->pay_money( 3000, $carol );

  # Or if the types are unambiguous, switch it up and provide
  # them in the wrong order instead. Still works!
  $co->pay_money( $dave, 3000 );

  # Or mix and match:
  $co->pay_money( $eve, amount => 3000 );
  $co->pay_money( $eve, { amount => 3000 } );
  $co->pay_money( 3000, employee => $eve );
  $co->pay_money( 3000, { employee => $eve } );

Exporting Parameterized Types

For certain parameterizable types, there are now shortcuts to export parameterized versions of them.

For example, supposing you need to deal with numeric arrayrefs quite a lot. That is, arrayrefs containing only numbers. Previously, you’d probably do something like this:

  use Types::Common qw( Num ArrayRef );

  ...;

  has favourite_numbers => ( is => 'ro', isa => ArrayRef[Num] );

  ...;

  if ( ArrayRef->of( Num )->check( \@my_array ) ) {
    ...;
  }

Now you can easily create a Nums type constraint and use it:

  use Types::Common qw( Num );
  use Types::Standard::ArrayRef Nums => { of => Num };

  ...;

  has favourite_numbers => ( is => 'ro', isa => Nums );

  ...;

  if ( is_Nums \@my_array ) {
    ...;
  }

Not all parameterizable types support this, but many of the common ones do.

Originally published at Perl Weekly 714

Hi there,

Happy Idd to all the weekly newsletter readers who celebrate the festival. We celebrated Idd yesterday in England and I assume it is being celebrated today in my native country, India. May ALLAH s.w.t guide us all in the right path, Ameen.

For me personally, the highlight of last week was the event organised by the Toronto Perl Mongers. It focussed on the new edition of the book, Data Munging With Perl (2nd edition). Unfortunately I missed the event despite registering for it. However, I'm told the recording will be available soon. If you missed it too, don't worry, you will be to catch up soon.

Speaking of the book, it is one of those must read classics for every Perl programmers. I read it, when it was first released, and I highly recommend you getting a copy to benefit from it.

Last week, Gabor mentioned Ramadan seemed to have had positive impact on me as I started writing more frequently these days. He was absolutely right!. But now that Ramadan is over, I'm not sure if I'll continue at the same pace. That said, I truly enjoyed this little burst of writing. It felt like therapy to me. It allowed me to share whatever was on my mind at the time. And when I receive encouraging responses, it gives me even more motivation to keep going.

I wrote few pieces last week, all of which are listed below. Please do check them out and share your thoughts.

I'd also like to take this opportunity to thank, brian d foy for his incredible book: Perl new features. I have shared my take on some of the topics discussed in the book, and I highly recommend getting a copy. The latest edition has been updated to cover Perl v5.38.

This edition of the newsletter is packed with positive Perl news, so take your time and enjoy.

Happy Monday!!

--
Your editor: Mohammad Sajid Anwar.

Announcements

Announcing the Perl Toolchain Summit 2025!

This announcement comes a bit late in the year, but the preparations for the next Perl Toolchain Summit have been going on for several months now. Today I am proud to announce that the 15th Perl Toolchain Summit will be held in Leipzig, Germany, from Thursday May 1st till Sunday May 4th, 2025.

My participation to the Perl Toolchain Summit 2025

Welcome to PTS 2025. I wish you all the very best.

Articles

This week in PSC (183) | 2025-03-20

Discussion about numify function. Work in good progress for next big release v5.42. Thank you team.

This week in PSC (184) | 2025-03-27

Good news, things are moving in the right direction.

Create a static mirror of your DEV blog

Great success story of Perl. This must be shared with everyone. Kudos for the effort.

Welcome to Perl

This post is dedicated to all newbie in Perl. Just a refresher how things work in Perl.

Benchmark CPUs Easily with the dkbench Docker image

Recently I started playing with Docker and this post caught my eyes. Cool little toy, you must check it out.

Using Perl to Write CNC GCode

Ever Wondered How to Write Software to Control a CNC for a Common Task Like Flattening Wood? Find the answer in this incredible post.

Web Access Errors not What I Suspected

Interesting problem and then cool solution. Keep sharing such stories.

Subroutine Signatures in Perl

It's about the how you deal with default parameter values when it is undef or false in Perl v5.38 or above.

Random in Perl

Environment variable PERL_RAND_SEED in Perl v5.38 and how this gives you power in your own hand.

Perl Regex

Special variable ${^LAST_SUCCESSFUL_PATTERN} in Perl v5.38. Find out more how this can be really useful.

The Weekly Challenge

The Weekly Challenge by Mohammad Sajid Anwar will help you step out of your comfort-zone. You can even win prize money of $50 by participating in the weekly challenge. We pick one champion at the end of the month from among all of the contributors during the month, thanks to the sponsor Lance Wicks.

The Weekly Challenge - 315

Welcome to a new week with a couple of fun tasks "Find Words" and "Find Third". If you are new to the weekly challenge then why not join us and have fun every week. For more information, please read the FAQ.

RECAP - The Weekly Challenge - 314

Enjoy a quick recap of last week's contributions by Team PWC dealing with the "Equal Strings" and "Sort Column" tasks in Perl and Raku. You will find plenty of solutions to keep you busy.

Equally Sorted

A very special construct used, never tried it before: unless-else-redo unless. This is incredible. Keep sharing the knowledge with us.

TWC314

I wouldn't say short as per his standard but agressive use of substr() would make you look at it very carefully. Cool work and well done.

Sort of Equal

When it comes to detailing, no one can beat him. There's hardly anything left for imagination. Everything is documented. Great work, keep it up.

Monotonous Prefixes

Another week another creative regex in display. Enjoy and decode it yourself. Have fun!!

Perl Weekly Challenge 314

Master of one-liner, once again surprised us with variations. Well done and keep it up.

Count Any Zipped Column

Simply love the story from start to finish. Great naration and beautiful solution. Keep it up and well done.

Even more strings

Smart move for catching the edge case. Well documented solution and bonus DIY tool as always. Super cool, keep it up.

The Weekly Challenge #314

It's incredible how you find the edge cases and then presented with choices. Kudos for your effort, keep sharing your knowledge with us.

Stringy Column

Raku rocks!! Basic non-recursive array comparator in Raku worth checking. This is cute. Thanks for sharing and well done.

Sorted equally

Here you go, Python at it's best. Never seen this construct: if-for loop. Python is a free bird, you can't catch him. Thanks for your contributions.

Rakudo

2025.12 Red on RakuAST

Other

Angry at Bash

The title suggest angry at bash but in reality the anger is toward myself. Find out more in the post.

GitHub meets GitLab

My learning process to pick up GitLab. You might have experienced this too.

Weekly collections

NICEPERL's lists

Great CPAN modules released last week;
MetaCPAN weekly report.

Events

Boston.pm monthly meeting

Virtual event

Paris.pm monthly meeting

Paris, France

German Perl/Raku Workshop Conference 2025

Munich, Germany

Paris.pm monthly meeting

Paris, France

Paris.pm monthly meeting

Paris, France

The Perl and Raku Conference 2025

Greenville, South Carolina, USA

You joined the Perl Weekly to get weekly e-mails about the Perl programming language and related topics.

Want to see more? See the archives of all the issues.

Not yet subscribed to the newsletter? Join us free of charge!

(C) Copyright Gabor Szabo
The articles are copyright the respective authors.

Weekly Challenge 314

Each week Mohammad S. Anwar sends out The Weekly Challenge, a chance for all of us to come up with solutions to two weekly tasks. My solutions are written in Python first, and then converted to Perl. It's a great way for us all to practice some coding.

Challenge, My solutions

Equal Strings

Task

You are given three strings.

You are allowed to remove the rightmost character of a string to make all equals.

Write a script to return the number of operations to make it equal otherwise -1.

My solution

With these challenges, it's sometimes more efficient to do things differently to achieve the same result, and that is the case with this task.

While this tasks says three strings are provided, my code will take any number of strings.

For this task, I determine the longest string where all the characters are the same. I start by defining the variables shortest_length and combined_length. As the names suggest, the first value is the length of the shortest string. The combined_length variable stores the length of all strings combined.

def equal_strings(strs: list) -> int:
    shortest_length = min(len(s) for s in strs)
    combined_length = sum(len(s) for s in strs)

I have a variable l which starts with the length of the shortest string and goes back to one. For each length I check if all the string of the specified length are the same.

If they are, I can work out the characters which were deleted (which is what we are looking for) by subtracted the remaining characters (the number of items times the length) from the combined_length value.

    for l in range(shortest_length, 0, -1):
        if all_same(s[0:l] for s in strs):
            return combined_length - len(strs) * l

The all_same functions uses the generator in the middle line and returns a boolean if they are all the same. In Python this is a one liner. Turning the generator into a set will result in one value as sets only hold unique values.

def all_same(strs: Generator[str]) -> bool:
    return len(set(strs)) == 1

The Perl version of this sub is also a one liner, but uses a different approach. It checks if all strings are the same as the first string.

sub all_same(@substrs) {
    return all { $_ eq $substrs[0] } @substrs;
}

Finally, I return -1 if the iterator is exhausted and the first character is not the same.

    return -1

Examples

$ ./ch-1.py abc abb ab
2

$ ./ch-1.py ayz cyz xyz
-1

$ ./ch-1.py yza yzb yzc
3

Task 2: Sort Column

You are given a list of strings of same length.

Write a script to make each column sorted lexicographically by deleting any non sorted columns.

Return the total columns deleted.

My solution

As we only need the number of columns deleted, there no actual deletion involved in this solution.

I start this task by checking that all strings are the same length. If they are not, I raise an exception.

I then have an iterator called idx that loops from 0 to one less than the length of the strings. I create a list (array in Perl) called characters that has the characters from each string at the position idx. If the sorted list is different than the original list, I add one to the unsorted_count variable.

def sort_column(strs: list) -> int:
    if any(len(s) != len(strs[0]) for s in strs):
        raise ValueError('Strings are not of the same length')

    unsorted_count = 0

    for idx in range(len(strs[0])):
        characters = [s[idx] for s in strs]
        if characters != sorted(characters):
            unsorted_count += 1

    return unsorted_count

As Perl does not have an easy way to compared two arrays for eqaulity, I took a slightly different approach. For the Perl solution, I have an inner loop to check if the letter in the characters array is less than the previous one. If it is, it means the letters are not in lexicographic order, and I can add to the unsorted_count value and exit the inner loop.

  O: for my $idx ( 0 .. length( $strs[0] ) - 1 ) {
        # Check that the characters at position idx are sorted
        my @characters = map { substr( $_, $idx, 1 ) } @strs;

        foreach my $sub_idx ( 1 .. $#characters ) {
            if ( $characters[ $sub_idx - 1 ] gt $characters[$sub_idx] ) {
                # If the character at this position is less than the last one
                #  it is not sorted
                $unsorted_count++;
                next O;
            }
        }
    }

Examples

$ ./ch-2.py swpc tyad azbe
2

$ ./ch-2.py cba daf ghi
1

$ ./ch-2.py a b c
0

1. App::DBBrowser - Browse SQLite/MySQL/PostgreSQL databases and their tables interactively.
   • Version: 2.426 on 2025-03-24, with 15 votes
   • Previous CPAN version: 2.424 was 15 days before
   • Author: KUERBIS
2. DateTime::TimeZone - Time zone object base class and factory
   • Version: 2.65 on 2025-03-26, with 21 votes
   • Previous CPAN version: 2.64 was 2 months, 9 days before
   • Author: DROLSKY
3. Graph - graph data structures and algorithms
   • Version: 0.9735 on 2025-03-27, with 27 votes
   • Previous CPAN version: 0.9734 was 26 days before
   • Author: ETJ
4. Math::BigInt - Pure Perl module to test Math::BigInt with scalars
   • Version: 2.005002 on 2025-03-28, with 13 votes
   • Previous CPAN version: 2.004001 was 26 days before
   • Author: PJACKLAM
5. Number::Phone - base class for Number::Phone::* modules
   • Version: 4.0006 on 2025-03-23, with 19 votes
   • Previous CPAN version: 4.0005 was 3 months, 11 days before
   • Author: DCANTRELL
6. PDL - Perl Data Language
   • Version: 2.100 on 2025-03-27, with 57 votes
   • Previous CPAN version: 2.099 was 2 months, 4 days before
   • Author: ETJ
7. Pod::Usage - extracts POD documentation and shows usage information
   • Version: 2.05 on 2025-03-29, with 46 votes
   • Previous CPAN version: 2.03 was 2 years, 10 months, 8 days before
   • Author: MAREKR
8. Sys::SigAction - Perl extension for Consistent Signal Handling
   • Version: 0.24 on 2025-03-26, with 12 votes
   • Previous CPAN version: 0.23 was 8 years, 6 months, 15 days before
   • Author: LBAXTER
9. Term::Choose - Choose items from a list interactively.
   • Version: 1.771 on 2025-03-27, with 15 votes
   • Previous CPAN version: 1.768 was 22 days before
   • Author: KUERBIS
10. Test::Simple - Basic utilities for writing tests.
    • Version: 1.302210 on 2025-03-29, with 192 votes
    • Previous CPAN version: 1.302209 was 2 months, 7 days before
    • Author: EXODIST

This is the weekly favourites list of CPAN distributions. Votes count: 45

Week's winners (+3): ARGV::JSON 

Build date: 2025/03/29 21:23:30 GMT

Clicked for first time:

• CPAN::Requirements::Dynamic - Dynamic prerequisites in meta files
• Crypt::OpenSSL::PKCS10 - Perl extension to OpenSSL's PKCS10 API.
• Dancer2::Plugin::OpenAPI - create OpenAPI documentation of your application
• Gnome2::Canvas - (DEPRECATED) A structured graphics canvas
• JQ::Lite - A lightweight jq-like JSON query engine in Perl
• Mail::Abuse - A plugin for accessing abuse complaints
• Task::Biodiverse - Task for Biodiverse dependencies [DEPRECATED]

Increasing its reputation:

• App::DBBrowser (+1=15)
• App::githook::perltidy (+1=8)
• App::Music::ChordPro (+1=4)
• ARGV::JSON (+3=4)
• Catalyst::Manual (+1=50)
• Catalyst::Runtime (+1=158)
• Config::Tiny (+1=36)
• CryptX (+1=52)
• DBI (+1=278)
• e (+1=6)
• Email::Stuffer (+1=36)
• Gazelle (+1=26)
• HTML5::DOM (+1=14)
• HTTP::Promise (+1=2)
• JSON::PP (+1=20)
• Map::Tube (+1=8)
• Net::Dict (+1=3)
• no::warnings (+1=2)
• OpenGL::GLFW (+1=2)
• PAR::Packer (+1=44)
• Parallel::ForkManager (+1=101)
• perl (+2=430)
• Pinto (+1=64)
• Pod::Usage (+1=46)
• Readonly (+1=23)
• Scalar::List::Utils (+1=180)
• SPVM (+1=36)
• Switch::Right (+1=3)
• Sys::Cmd (+1=4)
• Sys::CpuLoad (+1=2)
• Sys::SigAction (+1=12)
• Text::CSV (+1=81)
• Text::ParseWords (+1=15)
• Time::Moment (+1=74)
• Tree::RB::XS (+1=5)
• Weather::Fetch (+1=2)

An introduction to newbie in Perl.
Please checkout the post for more information:
https://theweeklychallenge.org/blog/welcome-to-perl

All three were present.

• We went over developments on the point release front. Things are now finally moving, if slowly.
• We discussed some internal quality-of-life improvements to the PSC meeting workflow.
• We briefly reflected on our work as the PSC given our various personal circumstances this year.
• We discussed PPC 0027 (any/all), prompted by the Mojolicious::Lite DSL question. We went over its status, how the work got merged, and current issues with the design. We confirmed an already possible technical solution to the Mojolicious issue and agreed that it satisfies us for now, but we still intend to pick up the further issues at a later time.

[P5P posting of this summary]

The examples used here are from the weekly challenge problem statement and demonstrate the working solution.

Part 1: Equal Strings

You are given three strings. You are allowed to remove the rightmost character of a string to make all equals. Write a script to return the number of operations to make it equal otherwise -1.

The fact that we’re give exactly three strings makes things slightly easier. The approach we’ll take is to pop off the last letter of each and compare the remainders. If they are equal then we are done. Otherwise we’ll continue popping off letter until we’re done.

A special case to consider is when the strings are of unequal length. In that case we make sure to only pop off letters from equal length strings, although the untouched strings will still be used when checking to see if we are done.

Everything can be easily contained in one subroutine. I know that the do blocks with postfix if are not common, but to me they are the most aesthetic way to conditionally perform two short statements.

Putting it all together...

The rest of the code just runs some simple tests.

Sample Run

$ perl perl/ch-1.pl 
2 
-1 
3
    

Part 2: Sort Column

You are given a list of strings of same length. Write a script to make each column sorted lexicographically by deleting any non sorted columns. Return the total columns deleted.

Unlike the first part, the strings here are guaranteed to be all of the same length and we do not know how many we will need to consider.

We’ll put everything together in a single subroutine.

The rest of the code drives some tests.

Sample Run

$ perl perl/ch-2.pl 
2 
1 
0
    

References

The Weekly Challenge 314
Generated Code

[Update, I've amended to reflect the die problem that was fixed thanks to comments below]

After upgrading from Fedora 39 to 41, my apache (httpd-2.4.63-1.fc41.x86_64) server is giving strange results. I run scripts out of a public_html (755 permissions) using apache's virtual host with public_html with userdir (I also have it set up to use ssl). Note that I've turned off selinux for this whole exercise, thinking that that was my source of issue. The problem still persists.

I have this very simple script called simpletest.cgi (which worked as is before the upgrade):

require DB_File;
print "Content-type: text/html\n\n";
print "<HTML><HEAD><TITLE>CGI Test Script</TITLE></HEAD>\n";
print "<BODY>\n";
print "Test\n";
tie %dbase, 'DB_File', "/<fullpath>/data/billyard_clean.db" or die "Can't open file: $!<br>\n";
print "(".$dbase{"I14.NAME"}.")<br>\n";
print "\n</BODY>\n</HTML>\n";
exit;

I get two different outputs depending on whether I run it as a command line script or through the httpd server.

Running perl -w simpletest.cgi in the same directory gives me the expected output:

    Content-type: text/html
    
    <HTML><HEAD><TITLE>CGI Test Script</TITLE></HEAD>
    <BODY>
    Test
    (Andrew Philip /Billyard/)<br>
    </BODY>
    </HTML>

Yet if I run this in the browser with URL https://<address>/~user/cgi-bin/simpletest.cgi, the code halts at the database tie line, with only the output:

    <HTML><HEAD><TITLE>CGI Test Script</TITLE></HEAD>
    <BODY>
    Test

The /var/log/httpd/ssl_error_log file reports that the $! error generated is Read-only file system. Note that I have verified that SElinux is off and that the script is ran as the same user as when it is ran on the command line.

Any suggestions?

(cover by Hunter Haley)

What is the Perl Toolchain Summit?

The Perl Toolchain Summit (PTS) nee "Perl QA Hackathon" is an amazing event, in the form of an hackathon, taking place yearly in Europe.

It's a open source gathering of several critically important people running the Perl infrastructure.

(picture from Ant Rozetsky)

Some of the vital pieces of software taken care at Perl Toolchain Summit are:

• PAUSE, CPAN and MetaCPAN
• CPAN installers: cpan, cpanp, cpanm, cpm, etc...
• Builders: ExtUtils::MakeMaker, Module::Build, Module::Build::Tiny
• Smokers: CPANTesters, Test::Smoke
• Authoring tools: Dist::Zilla, Dist::Milla, Minilla, etc...
• Test frameworks: Test2, etc...
• CPAN Security

This gathering, invite-only, is happening once a year and group together a lot of essential folks running Perl and CPAN.

It is made possible thanks to the generous sponsoring of companies.

By sponsoring this event, companies both mark their strong belief in Free Software and help maintaining the present/future quality of Perl ecosystem (or give thanks for past good and loyal service for years).

It radiates well beyond the event since the attendees are committed to Perl all along the year before and after the summit.

To give you an example, see the list of achievements of CPAN Security group in 2024 (which is particularly relevant since CPANSec group was created at Perl Toolchain Summit 2023 and will be again well represented during this summit)

What about /me?

This year, I got invited to the Perl Toolchain Summit. It will be my first time :)

I felt honored and blessed to receive an invitation.

"Woohoo!" \o/

I'm now feeling excited to join this event and meet all those great names.

I'm far from the value of some core members participating to the Perl Toolchain Summit but I think this invitation rewards my involvement in Perl toolchain (and Perl in general). So I would lie to say that I'm an imposter. But still, I will try be up to the chance I'm given!

My plan

I'm involved in multiple topics but I'm thinking I will work mainly on the 3 following topics:

1. Perl interpreter smoke test tooling (for which I'm the maintainer now)
2. Security (along with CPANSec group) where I've been involved lately
3. CPAN in general (PAUSE, indexes, installers, architecture, etc...)

Topics 2. and 3. are largely overlapping themself.

For the topics involving collaboration, I'm not going with big breaking ideas but mostly with little realistic changes that I consider with relatively big "return on invest". I think there's some inertia (because of the compatibility value being deep rooted in the DNA of Perl) that we should respect and should make us "reasonable dreamers".

If you're used to read me, you know that I'm also thinking out of the technical box. Sometimes speaking about the social nature of CPAN or how communication impacts as much as technical excellence.

I'm not fixing myself "success criteria" to fulfill to consider I would have succeeded my summit. If I'm preparing a bit, I also want to keep some "freshness" toward the event.

What else to say now apart that I can't wait to be there!

Meanwhile...

Happy Perl Hacking!

I developed Benchmark::DKbench to use in my Cloud VM CPU comparisons. It's a great tool for general CPU benchmarking, scaling efficiently to hundreds of cores on large cloud VMs, but it may require some setup (a working Perl system and some basic libraries and CPAN modules).

To simplify the process and ensure a consistent benchmarking environment across different systems, I created a ready-to-use Docker image.

Quick Start

If you have Docker installed, you can be benchmarking in seconds:

docker run -it --rm dkechag/dkbench

Once inside the container:

dkbench

That's it!

Docker Image Details

• Docker Hub: hub.docker.com/r/dkechag/dkbench
• GitHub Source: github.com/dkechag/dkbench-docker
• Architectures: amd64, arm64

Sample Output

Output of base command on a c4a-highcpu-72 (Google Axion) VM:

--------------- Software ---------------
DKbench v3.00
Perl v5.36.0 (threads, multi)
OS: Debian GNU/Linux 12.10 (bookworm)
--------------- Hardware ---------------
CPU type:  (aarch64)
CPUs: 72 (72 Cores)
----------------------------------------
DKbench single-thread run:
Benchmark           Score               Pass/Fail
Astro:               1108               Pass
BioPerl Monomers:    1090               Pass
CSS::Inliner:        1135               Pass
Crypt::JWT:          1201               Pass
DBI/SQL:             1385               Pass
DateTime:            1416               Pass
Digest:               925               Pass
Encode:              1302               Pass
HTML::FormatText:    1121               Pass
Imager:              1344               Pass
JSON::XS:            1227               Pass
Math::DCT:           1211               Pass
Math::MatrixReal:     937               Pass
Moose:               1138               Pass
Moose prove:         1354               Pass
Primes:              1071               Pass
Regex/Subst:         1073               Pass
Regex/Subst utf8:    1164               Pass
Text::Levenshtein:   1282               Pass
Overall Score:       1183
----------------------------------------
DKbench 72-thread run:
Benchmark           Score               Pass/Fail
Astro:              79101               Pass
BioPerl Monomers:   77803               Pass
CSS::Inliner:       77056               Pass
Crypt::JWT:         86454               Pass
DBI/SQL:            100131              Pass
DateTime:           101748              Pass
Digest:             66419               Pass
Encode:             89550               Pass
HTML::FormatText:   75762               Pass
Imager:             95798               Pass
JSON::XS:           88109               Pass
Math::DCT:          86547               Pass
Math::MatrixReal:   67094               Pass
Moose:              81572               Pass
Moose prove:        76786               Pass
Primes:             63421               Pass
Regex/Subst:        76028               Pass
Regex/Subst utf8:   83210               Pass
Text::Levenshtein:  91956               Pass
Overall Score:      82344
----------------------------------------
Multi thread Scalability:
Benchmark               Multi perf xSingle      Multi scalability %
Astro:                  71.41                   99
BioPerl Monomers:       71.36                   99
CSS::Inliner:           67.88                   94
Crypt::JWT:             71.98                   100
DBI/SQL:                72.32                   100
DateTime:               71.87                   100
Digest:                 71.78                   100
Encode:                 68.76                   96
HTML::FormatText:       67.59                   94
Imager:                 71.27                   99
JSON::XS:               71.81                   100
Math::DCT:              71.48                   99
Math::MatrixReal:       71.58                   99
Moose:                  71.67                   100
Moose prove:            56.72                   79
Primes:                 59.23                   82
Regex/Subst:            70.88                   98
Regex/Subst utf8:       71.49                   99
Text::Levenshtein:      71.70                   100
----------------------------------------
DKbench summary (19 benchmarks, 72 threads):
Single:              1183
Multi:              82344
Multi/Single perf:  70.99x  (67.59 - 72.32)
Multi scalability:  98.6%   (94% - 100%)

Happy benchmarking!

We are currently setting up a staging server (called beta) for a project consisting of two sub-projects and a bunch of services in each project. Each service uses a distinct role (postgres-speech for user), so I needed to set up a lot of roles, where each role has a distinct username and password. We use gopass to manage our passwords (and related info like usernames). When deploying (via Ansible) we can extract the passwords from gopass and inject them into the environment of the containers running the services. Instead of manually creating a password, storing it in gopass and creating a role in our Postgres cluster, I wrote a short script to automate this:

The script

#!/usr/bin/perl

use v5.36;

open(my $fh, ">", "create_roles.sql") || die $!;

my @stages = qw(beta production);
my @services = qw(accounts-admin accounts-mailer accounts-sso winxle-admin winxle-ga-logger winxle-merchant winxle-newsletter winxle-quickdatacollectionform winxle-scripts winxle-user winxle-winner);

for my $stage (@stages) {
    for my $service (@services) {
        $service =~ /^(\w+)-/;
        my $project = $1;
        my $gopasspath = join('/','validad', $project, $stage, $service, 'database');
        my $snake_service = $service;
        $snake_service=~s/-/_/g;

        my $rv = `gopass generate -f -p $gopasspath 32`;
        my @lines = split(/\n/, $rv);
        my $pw = $lines[3];

        my $role = sprintf('connect_%s_%s', $stage, $snake_service);

        my $create_role = sprintf("CREATE ROLE %s IN ROLE %s LOGIN PASSWORD '%s';", $role, $project, $pw);
        say $fh $create_role;

        my $add_username_cmd = qq{echo "\nuser: $role" | gopass insert -a $gopasspath};
        system($add_username_cmd);
    }
}
close $fh;

Walk through

I open a file to store the SQL statements (create_roles.sql) and define my stages and my services and walk through all of them in a double for loop.

I extract the $project name from the $service name (i.e. accounts or winxle) and use that to create the path to the secret in gopass. This could be for example validad/winxle/production/winxle-merchant/database or validad/accounts/beta/accounts-sso/database.

I convert the project name from kebab-case (winxle-user) to snake-case (winxle_user, notice the underscore).

Then I call gopass generate via backticks to create a new password with a length of 32 characters. gopass will store that new password in the store and return the newly created password in the output. Using backticks (`...`) allows me to easily capture the return value into a string, which I split into an array. I visually "parsed" the output of gopass generate and learned that the fourth line (or $lines[3]) contains the password (if -p is set, which I did), so I copy that value into $pw.

Next I generate the $role name, eg connect_beta_winxle_admin.

Now I generate a CREATE ROLE statement for Postgres, containing the newly created random password and output this to the file create_roles.sql.

Finally I use gopass insert to append the username to the gopass secret file.

The result

After running the script, I have a file create_roles.sql which I "deployed" via copy/paste into psql running on the cluster.

And I have a bunch of new gopass secrets like this:

gopass show validad/winxle/beta/winxle-winner/database
Secret: validad/winxle/beta/winxle-winner/database

iSh3Iepush7ohth7ieh2ed8aecoCh2oX

user: connect_beta_winxle_winner

Writing a script was definitely more fun than doing all this by hand. Not sure if was faster, though. But with a tiny more bit of work I can improve this script to update existing roles, so we can more often / more easily rotate our DB credentials. And I got a blog post out of it!

I wrote some simple perl script that creates an Net::LDAP::LDIFobject on an input file and then reads the contents using $ldif->read_entry(). After some processing I'm writing the entries again to STDOUT using $ldif->write_entry($entry).

The code works fine for "normal" LDIF files, but when processing an LDIF file that contains include, it fails like this:

First line of LDIF entry does not begin with "dn:" at ...

Is there a way "pass though" such includelines?

An example of such input would be:

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/core.ldif

include: file:///etc/openldap/schema/cosine.ldif

Such include files would contain DNs themselves, like this:

dn: cn=core,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: core
#...

The module version I'm using is perl-ldap-0.65-1.3.1.x86_64 (perl 5.26), just in case.

How do I make and display a QR Code for our 2FA in our Perl based web application?

My use case is to generate a 2FA QR Code based on an encrypted otpauth path that can be scanned by Google Authenticator or Microsoft Authenticator. That QR code should be generated and returned via my ajax call as a temporary image in browser memory, NOT server side.

The examples used here are from the weekly challenge problem statement and demonstrate the working solution.

Part 1: Broken Keys

You have a broken keyboard which sometimes type a character more than once. You are given a string and actual typed string. Write a script to find out if the actual typed string is meant for the given string.

What we’re faced with here is a problem of removing consecutive duplicated letters. The trick is that some letters may be correctly duplicated in succession! For example “coffeescript”has two f’s and two e’s which are not in error. We’re given the correct version so wee need to track the current correct letter and find deviations.

Another special case to consider is when the deviations occur at the end of the string and we get all of the same repeated letters as in the “rrakuuuu”example. To address this we check if the repeated letters remaining match the last known good letter.

Our solution is to loop over the letters in the candidate string guided by the original word. We do this all in one subroutine, the code is not so unwieldy to need to be broken into smaller pieces.

We really just need one subroutine to co-ordinate the inputs and run the main loop that’s required.

Putting it all together...

The rest of the code just runs some simple tests.

Sample Run

$ perl perl/ch-1.pl 
1 
1 
0 
1
    

Part 2: Reverse Letters

You are given a string. Write a script to reverse only the alphabetic characters in the string.

First we separate the alphabetic characters from the string, then we reverse them, then we finish by recombining the reversed alphabetic characters with the non-alphabetic characters.

We’ll put everything together in a single subroutine.

The rest of the code drives some tests.

Sample Run

$ perl perl/ch-2.pl 
l-re?p 
yLk-e!e-w 
_e-!g_nel-la!h_c
    

References

The Weekly Challenge 313
Generated Code

1. App::ModuleBuildTiny - A standalone authoring tool for Module::Build::Tiny and Dist::Build
   • Version: 0.048 on 2025-03-20, with 12 votes
   • Previous CPAN version: 0.047 was 8 months, 8 days before
   • Author: LEONT
2. App::Sqitch - Sensible database change management
   • Version: v1.5.1 on 2025-03-16, with 44 votes
   • Previous CPAN version: v1.5.0 was 2 months, 8 days before
   • Author: DWHEELER
3. DateTime::Format::Natural - Parse informal natural language date/time strings
   • Version: 1.20 on 2025-03-22, with 18 votes
   • Previous CPAN version: 1.19 was 2 months, 17 days before
   • Author: SCHUBIGER
4. DBIx::Class::Schema::Loader - Create a DBIx::Class::Schema based on a database
   • Version: 0.07053 on 2025-03-19, with 45 votes
   • Previous CPAN version: 0.07052 was 1 year, 2 months, 13 days before
   • Author: VEESH
5. Firefox::Marionette - Automate the Firefox browser with the Marionette protocol
   • Version: 1.64 on 2025-03-20, with 16 votes
   • Previous CPAN version: 0.77 was 5 years, 8 months, 13 days before
   • Author: DDICK
6. JSON::Validator - Validate data against a JSON schema
   • Version: 5.15 on 2025-03-16, with 35 votes
   • Previous CPAN version: 5.14 was 2 years, 10 days before
   • Author: JHTHORSEN
7. Module::CoreList - what modules shipped with versions of perl
   • Version: 5.20250321 on 2025-03-21, with 44 votes
   • Previous CPAN version: 5.20250220 was 25 days before
   • Author: BINGOS
8. Mojolicious::Plugin::OpenAPI - OpenAPI / Swagger plugin for Mojolicious
   • Version: 5.11 on 2025-03-18, with 46 votes
   • Previous CPAN version: 5.09 was 2 years, 26 days before
   • Author: JHTHORSEN
9. OpenGL - Perl bindings to the OpenGL API, GLU, and GLUT/FreeGLUT
   • Version: 0.7004 on 2025-03-19, with 13 votes
   • Previous CPAN version: 0.70 was 8 years, 5 months, 11 days before
   • Author: ETJ
10. Path::Tiny - File path utility
    • Version: 0.148 on 2025-03-17, with 191 votes
    • Previous CPAN version: 0.146 was 10 months, 9 days before
    • Author: DAGOLDEN
11. Spreadsheet::Read - Meta-Wrapper for reading spreadsheet data
    • Version: 0.93 on 2025-03-17, with 31 votes
    • Previous CPAN version: 0.91 was 6 months, 21 days before
    • Author: HMBRAND
12. SPVM - The SPVM Language
    • Version: 0.990049 on 2025-03-20, with 35 votes
    • Previous CPAN version: 0.990048 was 8 days before
    • Author: KIMOTO
13. Sys::Virt - libvirt Perl API
    • Version: v11.1.0 on 2025-03-19, with 17 votes
    • Previous CPAN version: v11.0.0 was 1 month, 12 days before
    • Author: DANBERR

This is the weekly favourites list of CPAN distributions. Votes count: 62

This week there isn't any remarkable distribution

Build date: 2025/03/22 22:53:29 GMT

Clicked for first time:

• App::ANSIColorUtils - Utilities related to ANSI color
• Map::Tube::GraphViz - GraphViz interface to the Map::Tube.
• MIDI::RtController - Control your MIDI controller
• no::warnings - suppress certain warnings for a dynamic scope
• Time::Progress - Elapsed and estimated finish time reporting.

Increasing its reputation:

• Acme::CPANAuthors::Russian (+1=5)
• AnyEvent (+1=166)
• App::Sqitch (+1=44)
• Attribute::Lexical (+1=2)
• Carmel (+1=35)
• Carp::REPL (+1=4)
• Carp::Reply (+1=11)
• Data::Dumper::GUI (+1=8)
• Data::Faker (+1=11)
• Data::Printer (+1=153)
• DBIx::TempDB (+1=4)
• Devel::REPL (+1=72)
• Dist::Milla (+1=38)
• Dist::Zilla::Plugin::Git::Contributors (+1=10)
• Feature::Compat::Try (+1=19)
• Function::Parameters (+1=61)
• Future (+1=58)
• Future::AsyncAwait (+1=48)
• Geo::Hash (+1=2)
• Image::Libpuzzle (+1=3)
• Image::PHash (+1=2)
• IO::Async (+1=77)
• JSON (+1=109)
• JSON::PP (+1=19)
• JSON::XS (+1=118)
• LWP::UserAgent::WithCache (+1=2)
• Module::CoreList (+1=44)
• Mojo::Pg (+1=74)
• Mojolicious (+1=502)
• Mojolicious::Plugin::Webpack (+1=5)
• Mom (+1=4)
• namespace::autoclean (+1=28)
• Net::SMPP (+1=3)
• Otogiri (+1=4)
• Package::Stash (+1=28)
• PDL::Stats (+1=16)
• Perl::LanguageServer (+1=32)
• PerlPowerTools (+1=41)
• perlsecret (+1=54)
• Plack::Middleware::REPL (+1=3)
• Promise::ES6 (+1=7)
• Protocol::HTTP (+1=3)
• Protocol::WebSocket::Fast (+1=3)
• Safe::Isa (+1=32)
• Selenium::Remote::Driver (+1=49)
• String::Sprintf (+1=2)
• Test::Mojo::Role::Selenium (+1=8)
• Test::Simple (+1=192)
• Test::WWW::Selenium (+1=18)
• Text::CSV_XS (+1=103)
• Toadfarm (+1=21)
• TPath (+1=2)
• UniEvent (+1=5)
• UniEvent::HTTP (+1=2)
• UniEvent::WebSocket (+1=2)
• URI::Router (+1=7)
• URI::XS (+1=2)

From perldoc perlmod…

An "END" code block is executed as late as possible, that is, after perl
has finished running the program and just before the interpreter is
being exited, even if it is exiting as a result of a die() function.
(But not if it's morphing into another program via "exec", or being
blown out of the water by a signal--you have to trap that yourself (if
you can).) You may have multiple "END" blocks within a file--they will
execute in reverse order of definition; that is: last in, first out
(LIFO). "END" blocks are not executed when you run perl with the "-c"
switch, or if compilation fails....

Perl’s END blocks are useful inside your script for doing things like cleaning up after itself, closing files or disconnecting from databases. In many cases you use an END block to guarantee certain behaviors like a commit or rollback of a transaction. You’ll typically see END blocks in scripts, but occassionally you might find one in a Perl module.

Over the last four years I’ve done a lot of maintenance work on legacy Perl applications. I’ve learned more about Perl in these four years than I learned in the previous 20. Digging into bad code is the best way to learn how to write good code. It’s sometimes hard to decide if code is good or bad but to paraphrase a supreme court justice, I can’t always define bad code, but I know it when I see it.

One of the gems I’ve stumbled upon was a module that provided needed functionality for many scripts that included its own END block.

Putting an END block in a Perl module is an anti-pattern and just bad mojo. A module should never contain an END block. Here are some alternatives:

• If cleanup is necessary, provide (and document) a cleanup() method
• Use a destructor (DESTROY) in an object-oriented module

Modules should provide functionality - not take control of your script’s shutdown behavior.

Why Would Someone Put an END Block in a Perl Module?

The first and most obvious answer is that they were unaware of how DESTROY blocks can be employed. If you know something about the author and you’re convinced they know better, then why else?

I theorize that the author was trying to create a module that would encapsulate functionality that he would use in EVERY script he wrote for the application. While the faux pas might be forgiven I’m not ready to put my wagging finger back in its holster.

If you want to write a wrapper for all your scripts and you’ve already settled on using a Perl module to do so, then please for all that is good and holy do it right. Here are some potential guidelines for that wrapper:

• A new() method that instantiates your wrapper
• An init() method that encapsulates the common startup operations with options to control whether some are executed or not
• A run() method that executes the functionality for the script
• A finalize() method for executing cleanup procedures
• POD that describes the common functionality provided as well as any options for controlling their invocation

All of these methods could be overridden if you just use a plain ‘ol Perl module. For those that prefer composition over inheritance, use a role with something like Role::Tiny to provide those universally required methods. Using Role::Tiny provides better flexibility by allowing you to use those methods before or after your modifications to their behavior.

How Can We Take Back Control?

The particular script I was working on included a module(whose name I shall not speak) that included such an END block. My script should have exited cleanly and quietly. Instead, it produced mysterious messages during shutdown. Worse yet I feared some undocumented behaviors and black magic might have been conjured up during that process! After a bit of debugging, I found the culprit:

• The module had an END block baked into it
• This END block printed debug messages to STDERR while doing other cleanup operations
• Worse, it ran unconditionally when my script terminated

The Naive Approach

My initial attempt to suppress the module’s END block:

END {
    use POSIX;
    POSIX::_exit(0);
}

This works as long as my script exits normally. But if my script dies due to an error, the rogue END block still executes. Not exactly the behavior I want.

A Better Approach

Here’s what I want to happen:

• Prevent any rogue END block from executing.
• Handle errors gracefully.

• Ensure my script always exits with a meaningful status code.

• A better method for scripts that need an END block to claw back control:

use English qw(-no_match_vars);
use POSIX ();

my $retval = eval {
    return main();
};

END {
  if ($EVAL_ERROR) {
      warn "$EVAL_ERROR";  # Preserve exact error message
  }

  POSIX::_exit( $retval // 1 );
}

• Bypasses all END blocks – Since POSIX::_exit() terminates the process immediately
• Handles errors cleanly – If main() throws an exception, we log it without modifying the message
• Forces explicit return values – If main() forgets to return a status, we default to 1, ensuring no silent failures.
• Future maintainers will see exactly what’s happening

Caveat Emptor

Of course, you should know what behavior you are bypassing if you decide to wrestle control back from some misbehaving module. In my case, I knew that the behaviors being executed in the END block could safely be ignored. Even if they couldn’t be ignored, I can still provide those behaviors in my own cleanup procedures.

Isn’t this what future me or the poor wretch tasked with a dumpster dive into a legacy application would want? Explicitly seeing the whole shebang without hours of scratching your head looking for mysterious messages that emanate from the depths is priceless. It’s gold, Jerry! Gold!

Next up…a better wrapper.

The examples used here are from the weekly challenge problem statement and demonstrate the working solution.

Part 1: Minimum Time

You are given a typewriter with lowercase english letters a to z arranged in a circle. Typing a character takes 1 sec. You can move pointer one character clockwise or anti-clockwise. The pointer initially points at a. Write a script to return minimum time it takes to print the given string.

The complete solution is contained in one file that has a simple structure.

For this problem we do not need to include very much. We’re just specifying to use the current version of Perl, for all the latest features in the language. This fragment is also used in Part 2.

All the work is in one subroutine. We use the ASCII values of each character to compute the new value.

Now all we need are a few lines of code for running some tests.

Sample Run

$ perl perl/ch-1.pl 
5 
7 
34
    

Part 2: Balls and Boxes

There are $n balls of mixed colors: red, blue or green. They are all distributed in 10 boxes labelled 0-9. You are given a string describing the location of balls. Write a script to find the number of boxes containing all three colors. Return 0 if none found.

We’re going to use Parse::Yapp for this problem. Writing parsers is fun! This problem is providing an excuse to write one. This approach has been used in past weeks, for example TWC 259 from this time last year. For simplicity, to start with, here is all the code that Parse::Yapp will use as it’s input.

To solve this problem we are going to pass the input string to the parser. The parser is going to return a hash reference which we’ll check to see which boxes contain all the balls, as described in the problem statement.

Finally, we need to confirm everything is working right.

Sample Run

$ yapp -m Ch2 perl/ch-2.yp; mv Ch2.pm perl 
$ perl -I perl perl/ch-2.pl G0B1R2R0B0 
1 
$ perl -I perl perl/ch-2.pl G1R3R6B3G6B1B6R1G3 
3 
$ perl -I perl perl/ch-2.pl B3B2G1B3 
0
    

References

The Weekly Challenge 312
Generated Code

1. App::DBBrowser - Browse SQLite/MySQL/PostgreSQL databases and their tables interactively.
   • Version: 2.424 on 2025-03-09, with 14 votes
   • Previous CPAN version: 2.423 was 1 month, 13 days before
   • Author: KUERBIS
2. App::Netdisco - An open source web-based network management tool.
   • Version: 2.084001 on 2025-03-09, with 17 votes
   • Previous CPAN version: 2.084000 was 4 days before
   • Author: OLIVER
3. ExtUtils::MakeMaker - Create a module Makefile
   • Version: 7.72 on 2025-03-14, with 60 votes
   • Previous CPAN version: 7.70 was 1 year, 11 months, 19 days before
   • Author: BINGOS
4. Firefox::Marionette - Automate the Firefox browser with the Marionette protocol
   • Version: 1.63 on 2025-03-09, with 16 votes
   • Previous CPAN version: 0.77 was 5 years, 8 months, 2 days before
   • Author: DDICK
5. Image::ExifTool - Read and write meta information
   • Version: 13.25 on 2025-03-11, with 43 votes
   • Previous CPAN version: 13.10 was 2 months, 22 days before
   • Author: EXIFTOOL
6. OpenGL - Perl bindings to the OpenGL API, GLU, and GLUT/FreeGLUT
   • Version: 0.7002 on 2025-03-10, with 13 votes
   • Previous CPAN version: 0.70 was 8 years, 5 months, 2 days before
   • Author: ETJ
7. Perl::Tidy - indent and reformat perl scripts
   • Version: 20250311 on 2025-03-11, with 142 votes
   • Previous CPAN version: 20250214 was 26 days before
   • Author: SHANCOCK
8. Prima - a Perl graphic toolkit
   • Version: 1.76 on 2025-03-12, with 44 votes
   • Previous CPAN version: 1.75 was 2 months, 22 days before
   • Author: KARASIK
9. SPVM - The SPVM Language
   • Version: 0.990048 on 2025-03-12, with 35 votes
   • Previous CPAN version: 0.990045 was 19 days before
   • Author: KIMOTO

Introduction

In our previous blog post, we detailed a clever external redirect solution to address the Apache 2.4 regression that broke automatic directory handling when DirectorySlash Off was set. We teased the question: Can we achieve the same behavior with an internal redirect? Spoiler alert - Nope.

In this follow-up post, we’ll explore why internal rewrites fall short, our failed attempts to make them work, and why the external redirect remains the best and only solution.

The Apache 2.2 vs. 2.4 Behavior Shift

How Apache 2.2 Handled Directory Requests

• If a user requested /dir without a trailing slash, Apache would automatically redirect them to /dir/.
• Apache would then serve the directory’s index.html (or any file specified by DirectoryIndex).
• This behavior was automatic and required no additional configuration.

What Changed in Apache 2.4

• When DirectorySlash Off is set, Apache stops auto-redirecting directories.
• Instead of treating /dir as /dir/, Apache tries to serve /dir as a file, which leads to 403 Forbidden errors.
• DirectoryIndex no longer inherits globally from the document root - each directory must be explicitly configured to serve an index file.
• Apache does not reprocess DirectoryIndex after an internal rewrite.

The Internal Rewrite Attempt

Our Initial Idea

Since Apache wasn’t redirecting directories automatically anymore, we thought we could internally rewrite requests like this:

 RewriteEngine On

 # If the request is missing a trailing slash and is a directory, rewrite it internally
 RewriteCond %{REQUEST_URI} !/$
 RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} -d
 RewriteRule ^(.*)$ /$1/ [L]

Why This Doesn’t Work:

• While this internally rewrites the request, Apache does not reprocess DirectoryIndex after the rewrite.
• If DirectoryIndex is not explicitly defined for each directory, Apache still refuses to serve the file and throws a 403 Forbidden.
• Unlike Apache 2.2, Apache 2.4 treats /dir as a raw file request instead of checking for an index page.

The Per-Directory Fix (Which Also Fails)

To make it work, we tried to manually configure every directory:

<Directory "/var/www/vhosts/treasurersbriefcase/htdocs/setup/">
    Require all granted
    DirectoryIndex index.roc
</Directory>

Why This Also Fails:

• Apache does not reprocess DirectoryIndex after an internal rewrite. Even though DirectoryIndex index.roc is explicitly set, Apache never reaches this directive after rewriting /setup to /setup/.
• Apache still treats /setup/ as an empty directory, leading to a 403 Forbidden error.
• The only way to make this work per directory would be to use an external redirect to force a new request cycle.

This means that even if we were willing to configure every directory manually, it still wouldn’t work as expected.

FallbackResource (Why This Was a Dead End)

We briefly considered whether FallbackResource could help by redirecting requests for directories to their respective index files:

<Directory "/var/www/vhosts/treasurersbriefcase/htdocs/setup/">
    DirectoryIndex index.roc
    Options -Indexes
    Require all granted
    FallbackResource /setup/index.roc
</Directory>

Why This Makes No Sense

• FallbackResource is designed to handle 404 Not Found errors, not 403 Forbidden errors.
• Since Apache already recognizes /setup/ as a valid directory but refuses to serve it, FallbackResource is never triggered.
• This does not address the fundamental issue that Apache does not reprocess DirectoryIndex after an internal rewrite.

This was a red herring in our troubleshooting FallbackResource was never a viable solution.

Sledge Hammer Approach: Direct Rewrite to the Index File

Another way to handle this issue would be to explicitly rewrite directory requests to their corresponding index file, bypassing Apache’s DirectoryIndex handling entirely:

RewriteEngine On
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} -d
RewriteRule ^(.*)$ /$1/index.roc [L]

It works…

• It completely avoids Apache’s broken DirectoryIndex handling in Apache 2.4.
• No need for DirectorySlash Off, since the request is rewritten directly to a file.
• It prevents the 403 Forbidden issue because Apache is no longer serving a bare directory.

…but it’s not ideal

• Every directory would need an explicit rewrite rule to its corresponding index file.
• If different directories use different index files (index.html, index.php, etc.), additional rules would be required.
• This does not scale well without complex conditional logic.

While this approach technically works, it reinforces our main conclusion: - Apache 2.4 no longer restarts the request cycle after a rewrite, so we need to account for it manually. - The external redirect remains the only scalable solution.

Why the External Redirect is the Best Approach

Instead of fighting Apache’s new behavior, we can work with it using an external redirect:

RewriteEngine On
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} -d
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1/ [R=301,L]

Why This Works Perfectly

• Redirects /dir to /dir/ before Apache even tries to serve it.
• Preserves DirectoryIndex behavior globally, just like Apache 2.2.
• No need for per-directory configuration.
• Ensures SEO-friendly canonical URLs with the correct trailing slash.

Conclusion

So, can we solve with an internal redirect?

• NO! … because Apache does not reprocess DirectoryIndex after an internal rewrite.
• Even explicit per-directory DirectoryIndex settings fail if Apache has already decided the request is invalid.
• FallbackResource never applied, since Apache rejected the request with 403 Forbidden, not 404 Not Found.

Does our external redirect solution still hold up?

Yes!!, and in fact, it’s not just the best solution - it’s the only reliable one.

Lessons Learned

• Apache 2.4 fundamentally changed how it handles directory requests when DirectorySlash Off is set.
• Internal rewrites cannot fully restore Apache 2.2 behavior because Apache does not restart request processing after a rewrite.
• The only way to ensure correct behavior is to use an external redirect before Apache attempts to serve the request.

If you haven’t read our original post yet, check it out here for the full explanation of our external redirect fix.

In part III of this series we’ll beat this dead horse and potentially explain why this was a problem in the first place…

As an online trading company processing millions of transactions daily, we recognise technologies that stand the test of time. For 25 years, Perl has been integral to our operations, and we remain committed to the ecosystem that helped shape our technical foundation.

Architecture Built for Scale

From our 1999 launch, Perl’s unmatched text processing and CPAN’s modular approach enabled us to evolve into a global platform. Core systems handling complex financial workflows leverage Perl’s stability, with key components still running the same battle-tested code developed in our early years.

Engineering Milestones

Here are some of the activities we’ve done with Perl:

• Engineered microservices using Myriad’s framework
• Created real-time trading systems with Net::Async
• Published open-source integrations for Postgres and Redis
• Developed proprietary market analysis tools still in daily use

These implementations demonstrate Perl’s capacity to support robust, long-term solutions in demanding technical environments.

Investing in Shared Infrastructure

Our support of MetaCPAN stems from a clear conviction: foundational tools deserve sustained backing. While our new projects explore different technical approaches, we actively maintain:

• Support for MetaCPAN’s essential developer resources
• Participation in community-driven knowledge sharing
• Commitment to CPAN’s maintenance standards

“Great technologies create lasting value,” says Chris Horn, Head of Engineering. “Our support for Perl’s ecosystem honours its foundational role in our growth while helping sustain resources that benefit developers worldwide.”

Our Open Source Commitment

Backing Perl’s ecosystem reflects Deriv’s long-standing belief in collaborative development. We’re proud to continue our MetaCPAN sponsorship through 2025 and support the Perl community as part of our ongoing commitment to open-source.

How to Fix Apache 2.4 Broken Directory Requests

Introduction

I’m currently re-architecting my non-profit accounting SaaS (Treasurer’s Briefcase) to use Docker containers for a portable development environment and eventually for running under Kubernetes. The current architecture designed in 2012 uses an EC2 based environment for both development and run-time execution.

As part of that effort I’m migrating from Apache 2.2 to 2.4. In the new development environment I’m using my Chromebook to access the containerized application running on the EC2 dev server. I described that setup in my previous blog. In that setup I’m accessing the application on port 8080 as http://local-dev:8080.

If, as in the setup describe in my blog, you are running Apache on a non-standard port (e.g., :8080) - perhaps in Docker, EC2, or via an SSH tunnel you may have noticed an annoying issue after migrating from Apache 2.2 to Apache 2.4…

Apache 2.4 Drops the Port When Redirecting Directories!

Previously, when requesting a directory without a trailing slash (e.g., /setup), Apache automatically redirected to /setup/ while preserving the port. However, in Apache 2.4, the redirect is done externally AND drops the port, breaking relative URLs and form submissions.

For example let’s suppose you have a form under the /setup directory that has as its action “next-step.html”. The expected behavior on that page would be to post to the page /setup/next-step.html. But what really happens is different. You can’t even get to the form in the first place with the URL http://local-dev:8080/setup!

• Expected Redirect (Apache 2.2):\ http://yourserver:8080/setup => http://yourserver:8080/setup/
• Actual Redirect (Apache 2.4, Broken):\ http://yourserver:8080/setup => http://yourserver/setup/ (port 8080 is missing!)

This causes problems for some pages in web applications running behind Docker, SSH tunnels, and EC2 environments, where port forwarding is typically used.

Investigating the Issue

If you’re experiencing this problem, you can confirm it by running:

curl -IL http://yourserver:8080/setup

You’ll likely see:

HTTP/1.1 301 Moved Permanently
Location: http://yourserver/setup/

Apache dropped 8080 from the redirect, causing requests to break.

Workarounds

Several workarounds exist, but they don’t work in our example.

• Disabling DirectorySlash: Prevents redirects but causes 403 Forbidden errors when accessing directories.
• Using FallbackResource: Works, but misroutes unrelated requests.
• Hardcoding the port in rewrite rules: Not flexible across different environments.

Instead, we need a solution that dynamically preserves the port when necessary.

The Fix

To restore Apache 2.2 behavior, we can use a rewrite rule that only preserves the port if it was in the original request.

Apache 2.4 Fix: Port-Preserving Rewrite Rule

<VirtualHost *:8080>
    ServerName yourserver
    DocumentRoot /var/www/html

    <Directory /var/www/html>
        Options -Indexes +FollowSymLinks
        DirectoryIndex index.html index.php
        Require all granted
        DirectorySlash On  # Keep normal Apache directory behavior
    </Directory>

    # Fix Apache 2.4 Directory Redirects: Preserve Non-Standard Ports
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !/$
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} -d
    RewriteCond %{SERVER_PORT} !^80$ [OR]
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1/ [R=301,L]

    UseCanonicalName Off
</VirtualHost>

Explanation

• Automatically appends a missing trailing slash (/setup => /setup/).
• Preserves the port only if it’s non-standard (!=80, !=443)
• Avoids hardcoding :8080, making it flexible for any non-standard port
• Restores Apache 2.2 behavior while keeping things modern and correct.

Example: Running Apache in Docker on EC2 via SSH Tunnel

The Setup (see previous blog)

1. Docker container running Apache on port 80 inside an EC2 instance.
2. Firewall rules allow only my home IP to access the server.
3. SSH tunnel (jump box) forwards port 80 securely.
4. Chromebook’s SSH settings forward port 8080 locally to 80 on the jump box.

How the Fix Helps

• Previously, /setup redirected externally without the port, causing failures.
• This fix use mod_rewrite and a RewriteRule that ensures that port 8080 is preserved

Conclusion

Apache 2.4’s port-dropping behavior is an unexpected regression from 2.2, but we can fix it with a simple rewrite rule that restores the expected behavior without breaking anything.

If you’re running Docker, EC2, or SSH tunnels, this is a fix that will prevent you from jumping through hoops by altering the application or changing your networking setup.

Postamble

Hmmmm…maybe we can use internal redirects instead of an external redirect??? Stay tuned.

Introduction

In our previous posts, we explored how Apache 2.4 changed its handling of directory requests when DirectorySlash Off is set, breaking the implicit /dir → /dir/ redirect behavior that worked in Apache 2.2. We concluded that while an external redirect is the only reliable fix, this change in behavior led us to an even bigger question:

Is this a bug or an intentional design change in Apache?

After digging deeper, we’ve uncovered something critically important that is not well-documented:

Apache does not restart the request cycle after an internal rewrite, and this can break expected behaviors like DirectoryIndex.

This post explores why this happens, whether it’s a feature or a bug, and why Apache’s documentation should explicitly clarify this behavior.

What Happens When Apache Internally Rewrites a Request?

Let’s revisit the problem: we tried using an internal rewrite to append a trailing slash for directory requests:

RewriteEngine On
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} -d
RewriteRule ^(.*)$ /$1/ [L]

Expected Behavior: - Apache should internally rewrite /setup to /setup/. - Since DirectoryIndex index.roc is set, Apache should serve index.roc.

Actual Behavior: - Apache internally rewrites /setup to /setup/, but then immediately fails with a 403 Forbidden. - The error log states: AH01276: Cannot serve directory /var/www/vhosts/treasurersbriefcase/htdocs/setup/: No matching DirectoryIndex (none) found - Apache is treating /setup/ as an empty directory instead of recognizing index.roc.

The Key Issue: Apache Does Not Restart Request Processing After an Internal Rewrite

Unlike what many admins assume, Apache does not start over after an internal rewrite.

How Apache Processes Requests (Simplified)

1. The request arrives (/setup).
2. Apache processes mod_rewrite.
3. Apache determines how to serve the request.
4. If an index file (index.html, index.php, etc.) exists, DirectoryIndex resolves it.

Why Internal Rewrites Don’t Restart Processing

• Apache processes mod_rewrite before it checks DirectoryIndex.
• Once a rewrite occurs, Apache continues processing from where it left off.
• This means it does not re-check DirectoryIndex after an internal rewrite.
• Instead, it sees /setup/ as an empty directory with no default file and denies access with 403 Forbidden.

Is This a Bug or a Feature?

First, let’s discuss why this worked in Apache 2.2.

The key reason internal rewrites worked in Apache 2.2 is that Apache restarted the request processing cycle after a rewrite. This meant that:

• After an internal rewrite, Apache treated the rewritten request as a brand-new request.
• As a result, it re-evaluated DirectoryIndex and correctly served index.html, index.php, or any configured default file.
• Since DirectorySlash was handled earlier in the request cycle, Apache 2.2 still applied directory handling rules properly, even after an internal rewrite.

In Apache 2.4, this behavior changed. Instead of restarting the request cycle, Apache continues processing the request from where it left off. This means that after an internal rewrite, DirectoryIndex is never reprocessed, leading to the 403 Forbidden errors we encountered. This fundamental change explains why no internal solution works the way it did in Apache 2.2.

Why It’s Likely an Intentional Feature

• In Apache 2.2, some rewrites did restart the request cycle, which was seen as inefficient.
• In Apache 2.4, request processing was optimized for performance, meaning it does not restart after an internal rewrite.
• The behavior is consistent across different Apache 2.4 installations.
• Some discussions in Apache’s mailing lists and bug tracker mention this as “expected behavior.”

Why This is Still a Problem

• This behavior is not explicitly documented in mod_rewrite or DirectoryIndex docs.
• Most admins expect Apache to reprocess the request fully after a rewrite.
• The lack of clarity leads to confusion and wasted debugging time.

Implications for Apache 2.4 Users

1. Mod_Rewrite Behavior is Different From What Many Assume

• Internal rewrites do not restart request processing.
• DirectoryIndex is only evaluated once, before the rewrite happens.
• This is not obvious from Apache’s documentation.

2. The Only Reliable Fix is an External Redirect

Since Apache won’t reprocess DirectoryIndex, the only way to guarantee correct behavior is to force a new request via an external redirect:

RewriteEngine On
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} -d
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1/ [R=301,L]

This forces Apache to start a completely new request cycle, ensuring that DirectoryIndex is evaluated properly.

3. Apache Should Improve Its Documentation

We believe this behavior should be explicitly documented in: - mod_rewrite documentation (stating that rewrites do not restart request processing). - DirectoryIndex documentation (noting that it will not be re-evaluated after an internal rewrite).

This would prevent confusion and help developers troubleshoot these issues more efficiently.

Conclusion: A Feature, But a Poorly Documented One

• The fact that Apache does not restart processing after an internal rewrite is likely an intentional design choice.
• However, this is not well-documented, leading to confusion.
• The only solution remains an external redirect to force a fresh request cycle.
• We believe Apache should update its documentation to reflect this behavior more clearly.

That was a big year for CPANSec.

In case some of the activities this year flew under your radar, please find some of the achievements listed in this retrospective!

Common Vulnerabilities and Exposures (CVEs)

In 2024, CPANSec worked to illustrate the importance of the Common Vulnerabilities and Exposures (CVE) process.

Until then, our experience is that very few CVEs were published for Perl modules and tooling.
Beyond that, people and authors were a bit reluctant to deal with those CVEs.

CVEs are not a sign of bad quality or maintenance of a code, but a professional way of tagging and tracking a vulnerability, also indicating the importance of the concerned code.

Vulnerable Spreadsheet Parsing modules

The start of the year was marked by vulnerabilities reported for Spreadsheet::ParseExcel:

• CVE-2023-7101: Spreadsheet::ParseExcel arbitrary code execution vulnerability
• CVE-2024-22368: Spreadsheet::ParseXLSX denial of service vulnerability
• CVE-2024-23525: Spreadsheet::ParseXLSX XML external entity attack vulnerability

Insecure modes of CPAN installers

CPANSec continued with CPAN installer cpanminus (a major installer of the Perl ecosystem):

• CVE-2024-45321: App::cpanminus through 1.7047 downloads code using insecure HTTP

This latest is a bit related to a fix from a CPANSec member earlier in 2023 to the CPAN installer cpan (part of Perl core distribution):

• CVE-2023-31484: CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS

Other

Similarly, a CVE was emitted for the POSIX::2008 module:

• CVE-2024-55564: POSIX::2008 package before 0.24 for Perl has a potential execve50c env buffer overflow

Improving CVE tooling

Along with CVEs, tooling to monitor, fetch or test for them is very useful. They can be installed in workflows or tooling as a gate keeper so that companies do not ship vulnerable pieces of code.

CPANSec produced and improved a few tools to fetch or test for CVEs:

• CPANSEC::Admin::Command::CVEScan
• Net::NVD
• Net::CVE
• Test::CVE

Note: Not all CVE tooling are managed by CPANSec, I’m thinking in particular CPAN::Audit and its sidecar CPAN::Audit::DB or NIST::NVD.

But CPANSec follows closely and contributes to them when possible.

CPANSec as a CVE Numbering Authority (CNA)

In 2023 and 2024, if CPANSec helped with or contributed to CVEs for CPAN, the assignment of CVEs remained under control of another CNA, MITRE.

CPANSec members worked throughout the year to give the group the ability to assign CVEs. After all, who knows better than CPANSec the impact of CVEs on Perl modules? (If you know someone, send them our way! :)

By end of the year, the groundwork to become a CNA was completed.

This designation was officially granted in February 2025: CPANSec is now a CVE Numbering Authority (CNA)!

The news of CPANSec becoming CVE Numbering Authority (CNA) was saluted by community luminaries like Greg Kroah-Hartman (Linux kernel) and Daniel Stenberg (cURL).

The CNA administrators are Timothy Legge, Stig Palmquist and Breno G. de Oliveira.

Introduced a SECURITY Policy template

In parallel, CPANSec collectively pushed for authors to publish a Security Policy.

Doing so is considered Open Source Good Practice, especially as security is becoming more and more critical.

This effort resulted in creating a template, providing guidelines and, last but not least, communicating this initiative in various channels.

In order to help authors integrating a Security Policy, new tools Software::Security::Policy and Dist::Zilla::Plugin::SecurityPolicy were created and published.

Study on Random Number generation for Security

Generating random numbers can help in a wide variety of tasks. All of them don’t have the same level of criticality. In particular, random generated data used in a security context requires extra care.

CPANSec studied and reviewed CPAN modules for this use, and shared this in Random Data For Security Use.

Working on “TLS in core”

A vanilla install of Perl (distribution) does not provide HTTPS capabilities, and this is annoying. That’s an important (and difficult) topic that is addressed, across core developers and CPANSec.

Things started to go into motion in 2024 to make it happen.

Discussions, with the Perl Steering Council and core contributors. A plan was created, with some preliminary work happening.

One notable contribution is the creation of the new module Crypt::Bear by LEONT to wrap the TLS library BearSSL.

Software Bill Of Materials (SBOM)

CPANSec attended many meetings in other security-related communities, and cross-connected with several other organization working on the topic.

One of the outcomes of this effort is available as in the form of an ongoing study on Roles and metadata in open source supply-chains, but it goes well beyond that.

Adopting security related modules

CPANSec volunteers adopted security related modules:

• Crypt::DSA
• Crypt::DES_EDE3
• Crypt::OpenPGP
• Crypt::OpenSSL::AES
• Crypt::OpenSSL::Blowfish
• Crypt::OpenSSL::PKCS10
• Crypt::Primes
• Crypt::Random
• Module::Signature
• Net::OAuth

Adopting modules is not always the only option, and CPANSec also reviewed modules for insecure algorithms in order to offer recommendations or propose deprecation.

Reviewing CPAN for supply chain attacks

Through the year, CPANSec volunteers preformed an analysis of the CPAN ecosystem to know exactly how much vulnerable it would be to some common supply chain attacks:

• Study CPAN Dependency Confusion

More attacks vectors were also looked at, including starjacking and the topic of stealing namespaces.

Pentesting PAUSE

CPANSec volunteers reviewed and tested PAUSE with various attempts to break it with nasty modules, steal namespaces or execute remote code.

This was done on a local instance made possible thanks to the hard work of automation from “Table PAUSE” at Perl Toolchain Summit 2024 that was later improved, tweaked (fast indexing, minor fixes…) and containerized by CPANSec.

Outside of pentesting, these deliveries are useful for plenty of tests (on indexing, on PAUSE functionning itself) or as a local development environment of PAUSE.

Outreach

If CPANSpec is taking care of security aspects of CPAN and Perl, it’s also promoting Perl in general, actively recruiting for open source security.

This is in this scope that the group had a presence in several events. From Perl Toolchain Summit 2024 to London Perl and Raku Workshop 2024, but also FOSDEM 2024 and the OpenSSF summit.

Other

CPANSec also initiated a discussion (with a proposed change) to enable Secure by default sessions in Mojolicious.

CPANSec had a recurring discussion on the topic of module signatures. Reviewing the limitations “by design” of the current options, and thinking about a correct way to implement that feature. Similarly, discussions about CPAN installer enhancements (“Do not install module version with a CVE”, “Patch module on the fly at install”. etc…) were had, but only at an early stage.

At the very end of 2024, CPANSec reviewed the state of the art vulnerability of Perl bcrypt related modules (Crypt::bcrypt, Digest::Bcrypt) on misuse following the Okta reported incident.

Who we are?

I attributed many of previous achievements to “CPANSec”, but who was part of the “CPANSec group” in 2024?

In last name alphabetical order:

Olaf Alders
José Joaquín Atria
H.Merijn Brand
Thibault Duponchelle
Alexander Hartmaier
Alexander Karelas
Peter Krawczyk
Timothy Legge
Tina Müller
Ingy döt Net
Salve J. Nilsen
Breno G. de Oliveira
Stig Palmquist
Nicolas Rochelemagne
Robert Rothenberg
Giuseppe Di Terlizzi
Leon Timmermans

Final words

This was a big year; The group really took shape and get full speed with progress in many places.

The group met regularly (18 meetings!), had fun and got outstanding results. This is the year when CPANSec got traction as a recognized supporting organization for securing the Perl/CPAN ecosystem.

With so many visible and impacting outcomes, 2024 confirmed well beyond expectations that CPANSec has a raison d’être.

It was also a very rewarding year for all people involved! Looking forward to a similarly successful 2025 :)

The examples used here are from the weekly challenge problem statement and demonstrate the working solution.

Part 1: Upper Lower

You are given a string consists of english letters only. Write a script to convert lower case to upper and upper case to lower in the given string.

The complete solution is contained in one file that has a simple structure.

For this problem we do not need to include very much. We’re just specifying to use the current version of Perl, for all the latest features in the language. This fragment is also used in Part 2.

All the work is in one subroutine. We use the ASCII values of each character to compute the new value.

Now all we need are a few lines of code for running some tests.

Sample Run

$ perl perl/ch-1.pl 
PerL 
RAKu 
pYtHoN
    

Part 2: Group Digit Sum

You are given a string, $str, made up of digits, and an integer, $int, which is less than the length of the given string. Write a script to divide the given string into consecutive groups of size $int (plus one for leftovers if any). Then sum the digits of each group, and concatenate all group sums to create a new string. If the length of the new string is less than or equal to the given integer then return the new string, otherwise continue the process.

To solve this problem we need to do the following

1.

divide the list into groups of the given size

2.

compute the sums

3.

recombine

4.

repeat as needed

Let’s look at each of those pieces individually and then combine them together into one subroutine.

With that work take care of, let’s combine all these pieces into one subroutine.

Finally, here’s a few tests to confirm everything is working right.

Sample Run

$ perl perl/ch-2.pl 
359 
76 
162
    

References

The Weekly Challenge 311
Generated Code

Using a Chromebook for Remote Web Development

Introduction

If you’re doing some development on a remote server that you access via a bastion host (e.g., an EC2 instance), and you want a seamless way to work from a Chromebook, you can set up an SSH tunnel through the bastion host to access your development server.

This guide outlines how to configure a secure and efficient development workflow using Docker, SSH tunnels, and a Chromebook.

Motivation

Your Chromebook is a great development environment, but truth be told, the cloud is better. Why? Because you can leverage a bucket load of functionality, resources and infrastructure that is powerful yet inexpensive. Did I mention backups? My Chromebook running a version of debian rocks, but in general I use it as a conduit to the cloud.

So here’s the best of both worlds. I can use a kick-butt terminal (terminator) on my Chromie and use its networking mojo to access my web servers running in the cloud.

Network Setup Overview

In this setup:

• The Chromebook runs Linux and connects via SSH to the bastion host.
• The bastion host acts as an intermediary, forwarding requests to the private EC2 development server.
• The EC2 instance is firewalled and only accessible from the bastion host.
• Port 80 on the EC2 instance is mapped to port 8080 locally on the Chromebook through the SSH tunnel. You’ll need to set that up on your Chromebook in the Linux development environment settings.

Network Diagram

Here’s what it looks like in ASCII art…

   +--------------+    +--------------+    +--------------+
   | Chromebook   |    | Bastion Host |    |     EC2      |
   |              | 22 |              | 22 |              |
   |  Local SSH   |----|   Jump Box   |----| Development  |
   |  Tunnel:8080 | 80 | (Accessible) | 80 |  Server      |
   +--------------+    +--------------+    +--------------+

Setting Up the SSH Tunnel

To create an SSH tunnel through the bastion host:

ssh -N -L 8080:EC2_PRIVATE_IP:80 user@bastion-host

Explanation:

• -N: Do not execute remote commands, just forward ports.
• -L 8080:EC2_PRIVATE_IP:80: Forwards local port 8080 to port 80 on the development server (EC2 instance).
• user@bastion-host: SSH into the bastion host as user.

Once connected, any request to localhost:8080 on the Chromebook will be forwarded to port 80 on the EC2 instance.

Making It Persistent on Your Chromebook

To maintain the tunnel connection automatically:

1. Use an SSH config file (~/.ssh/config):

Host bastion
    HostName bastion-host
    User your-user
    IdentityFile ~/.ssh/id_rsa
    LocalForward 8080 EC2_PRIVATE_IP:80
    ServerAliveInterval 60
    ServerAliveCountMax 3

1. Start the tunnel in the background:

ssh -fN bastion

1. Verify it is working:

curl -I http://localhost:8080

You should see a response from your EC2 instance’s web server.

Integrating with Docker on EC2

If your EC2 instance runs a Dockerized web application, expose port 80 from the container:

docker run -d -p 80:80 my-web-app

Now, accessing http://localhost:8080 on your Chromebook browser will open the web app running inside the Docker container on EC2.

Final Thoughts

This setup allows you to securely access a remote development environment from a Chromebook, leveraging SSH tunneling through a bastion host.

• Why This Works:
  • Keeps the EC2 instance private while still making it accessible for development.
  • Allows seamless local access (localhost:8080) to a remote web app.
  • Works even when using strict firewall rules.

Now you can develop on remote servers with a Chromebook, as if they were local!