develooper Front page | perl.modules | Postings from April 2018

Wishing to adopt https://metacpan.org/pod/Crypt::OpenSSL::RSA

Thread Previous
From:
john napiorkowski
Date:
April 11, 2018 03:51
Subject:
Wishing to adopt https://metacpan.org/pod/Crypt::OpenSSL::RSA
Message ID:
CAMF3VnhocA8rqu8F-UEHoQKcR7xdHOyirg=QhpSF4Ez7ueh3Lw@mail.gmail.com
Hi,

My company (and apparently a number of people from the look of the bug
queue) rely on this module (https://metacpan.org/pod/Crypt::OpenSSL::RSA)
on the job.  However there is a critical bug in it with an outstanding
patch that the current maintainer doesn't seem interested in dealing with.
Here's the testers reports:

https://www.cpantesters.org/distro/C/Crypt-OpenSSL-RSA.html?oncpan=1&distmat=1&version=0.28&grade=3

As you can see its failing to install quite consistently over the past year
plus, which is due to critical security fixes in open-ssl becoming the
commonly default install on most servers.  This security fixed version of
open-ssl does not compile with the currently released CPAN code.

Here's the bug report / patch from last year:

https://github.com/monken/Crypt-OpenSSL-RSA/pull/18

As you can see the patch is trivial.

When I emailed the current maintainer, cpan ID 'PERLER' he at first seemed
willing to do one more emergency release to get us past the current
crisis.  He did indeed merge the PR but has not released the code to CPAN.
In the email exchange I had with him he seems to indicate that he doesn't
do Perl a lot anymore and had forgotten how to upload and prep a module for
CPAN.  I gave him instructions via email on how to do that and offered to
pair on it if he was stuck, but I never heard back (that was 2 weeks ago).
Its starting to look like this is not something the current maintainer
wants to deal with or has time for.  Additionally its not a long term
solution since he has only comaint rights and can't transfer ownership to a
willing maintainer should issues arise in the future.

I also emailed the current 'first-come' author 'IROBERTS' who has not
 responded to emails for more than 6 weeks and from reviewing the record
does not seem to be active in Perl / CPAN anymore (no uploads to CPAN in
more than 10 years from what I can see).

This module is actually fairly important as a number of other modules
related to cryptography use it.  Given that I think it needs a maintainer
willing to do the basics and also one that will turn it over to someone
else should s/he decide to retire (someone with first-come that is willing
to migrate that authority to someone else when the time comes).  I'd be
very willing to become first come on this and release an update since my
company uses it. My CPAN id is JJNAPIORK and I've got a pretty decent track
record on CPAN of doing trustworthy releases.  My plan would be to release
quickly a patched version of this, and also it looks like from the github
pull request record that there's a number of outstanding patches that could
be merged as well.  Also I will contact some of the people that send
patches to this code and find out if they want comaint that way there's no
longer a single point of failure on this.  So I'm requesting that I be
granted first-come on this module.

Please let me know what else I should do to make this possible.

Regards,

John Napiorkowski (JJNAPIORK)

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About