H.Merijn Brand (‎Tux‎)

• Analysis of the Test::Smoke database
• Attempt to convert that to Test2::Builder architecture (proved to be of no use)
• Extract binary data out of that 150 Gb+ database into local files
• replace bytea entries with locations of those files (new size is just over 300 Mb + 77 Gb of files on disk
• Discuss and help with new maint setup for webUI and API for Test::Smoke results. Thanks Todd Rinaldo (‎toddr‎) for picking this up!!!!
• Talk about Configure and its bus factor. Incl a podcast recording with Philippe Bruhat (‎BooK‎))
• Evaluate new Devel::Cover and help digging into failures
• Digging into Test2::Harness fallout due to installation of an old(er) version-conflict
• Fix stack corruption issue in Text::CSV_XS (Thanks Leon Timmermans (‎leont‎)!)
• Many many useful discussions

Shoichi Kaji (‎skaji‎)

• Released cpm v1: https://metacpan.org/pod/App::cpm

Tina Müller (‎tinita‎)

• YAML::XS
  • Fix memory leak for trailing UTF8 octets
  • Fix detecting floats in YAML 1.2 Core Schema
  • v0.906.1-TRIAL: Turn off cyclic references by default (potential memory leak)
• YAML::PP
  • Security: Limit default allowed maximum nesting level.
• libyaml
  • Fix Denial of Service vulnerability: Limit depth of nesting by default
  • Handle closing flow sequence after explicit key
• Sat together with Thibault Duponchelle (‎tibtib‎) and talked about attack vectors in PAUSE regarding YAML

atoomic

• Quick Summary for PSC26: Open 42 issues ; Worked on 141 PRs ; 86 Merged
• Mainly focused on Test-More/Test2-Harness refactor with 27 PRs merged
• but also updated, modernized and released v2 for perl-actions/install-with-cpm, perl-actions/install-with-cpanminus
  • update node to v24
  • several security updates
  • upstream stack up to date
  • added a few extra features: retry, cache, mirror...
• TimeDate -Worked on 14 issues
• Clone: merged 4 PRs ; release pending
• helped modernized Perl-Toolchain-Gang/Test-Smoke
• exchanged on feature requests for metacpan/metacpan-grep-front-end
• workshop: collaborate with Robert on automation Policy
• talk: AI discussion, attended Perl Core features talk from Leonerd

Thomas Klausner (‎domm‎)

• Added a local-dev setup using docker-compose to PAUSE: https://github.com/andk/pause/pull/588, already merged!
• Might have been shanghaied to look into making PAUSE an OAuth2 identity provider
• Attended a interview podcast recording about Vienna.pm with Philippe Bruhat (‎BooK‎)
• Running errands, un/locking doors, organize food etc

Paul Evans (‎LeoNerd‎)

• Presented two talks outlining upcoming or potential future core perl ideas and designs
• Lots of discussions about class/role feature design
• Fixed a small bug in the `Socket` dual-life module
• Pointed atoomic+Todd Rinaldo (‎toddr‎) at the "static cow" ability of newer perls as a nicer way to solve a `B::C` issue
• Looked into `Devel::Cover` interactions with perl's `PL_perldb` variable with Paul Johnson (‎pjcj‎)
• Lent some words on the theme of the ever-looming "AI tools" discussions
• Held an in-person PSC meeting to triage the release-blocker queue and manage some outstanding issues
• Attended a interview podcast recording with the PSC with Philippe Bruhat (‎BooK‎)

Robert Rothenberg (‎rrwo‎)

• Worked with CPANSec on various projects
  • Vulnerability discovery
    • Released a fix for Text::Minify::XS (thanks to Karl Williamson for helpful advice on handling Unicode in XS)

• CNA improving the vulnerability to fix and disclosure workflow
  • We want to reduce delays to releasing fixes and disclosing vulnerabilities, but we also want to communicate with authors in a way that does not put pressure on them.
    • CPANSec is a resource to assist authors with security issues.

• Working on a ideas with Salve J. Nilsen (‎sjn‎) about where new kinds of metadata should go, so that authors can experiment with it over the next year.
  • Blog post(s) will be forthcoming
  • A proposal for documenting how AI and automation fits into a project (with atoomic)
  • Ideas in GitHub at https://github.com/CPAN-Security/cpan-metadata-v3
• Joined the DBI core maintenance team
• Participated in various discussions
  • AI usage meeting was lively but productive.
  • Paul Evans (‎LeoNerd‎) talks about upcoming and potential improvements.
  • Karl Williamson on UTF-8
  • Salve J. Nilsen (‎sjn‎)'s talks on CRA and steward organization
  • META v3 and Community Health Documentation

Christian Walde (‎Mithaldu‎)

• PPI - several releases with:
  • two separate performance fixes for features/signature parsing in large files (thanks mauke)
  • support for dotted bitwise operators (thanks BooK)
  • fixes for code location indexing (thanks myrrhlin)
  • many other small things
• had toddr help me automatically generate a lot of PPI tests (and some fixes) for currently broken behaviours
• several conversations with Leonerd on the relationship between classes and roles and better replacements for roles, as well as what makes acceptable behaviours in po syntax; and advice on how to get feedback with little effort

Andreas Koenig

• released CPAN.pm-2.39-TRIAL
• Security fixes on PAUSE
  • Ignore README or META.xxx in uploaded distributions when they are symlinks (Stig Palmquist)
  • Fix Possible timing attack in ABRA lookup (Thibault Duponchelle)
  • replace rand() with Crypt::URandom::urandom() (Thibault Duponchelle)
  • discussed some more potential security issues with Stig Palmquist and Graham Knop
• applied circa 15 pull requests to PAUSE together with Kenichi Ishigaki
• participated in discussions about deprecation of Module::Signature and shutdown of the email forwarding service for the CPAN

Timothy Legge (‎timlegge‎)

• Various CPANSec discussions
  • CNA - How to reduce the required to issues CVEs
  • CNA - Improve the disclosure workflow process
  • CNA - Recognize the impact of security reports on maintainers
• Worked with Todd Rinaldo (‎toddr‎) to release Crypt::OpenSSL:::RSA which restored PKCS1 v1.5 padding for signatures
• Participated in various discussions on:
  • CPAN Clients
  • Perl Platform support
  • AI and the Perl Community
  • Karl Williamson on UTF-8
• H.Merijn Brand (‎Tux‎) presented metaconfig and Configure to a small number of us
  • While not frequently changing H.Merijn Brand (‎Tux‎) gave us a great understanding of its importance and how it works
  • The hope is to improve the bus factor
• Deprecated Module::Signature
  • Audrey approved its deprecation
  • Module::Signature does not provide the expected security assurances
  • It is time to retire it and look for a new solution

Lukas Mai (‎mauke‎)

• helped Christian Walde (‎Mithaldu‎) disentangle and release a PPI patch (performance improvements)
• opened a handful of pull requests in CPAN modules to eliminate string comparisons on $] (e.g. `if ($] lt "5.010")`), which will break if $] exceeds 10.0 (e.g. if we were to "drop the 5.")
• attended talks by Paul Evans (‎LeoNerd‎) (future features, language design), Karl Williamson (UTF-8)
• many, many discussions

Doug Bell (‎preaction‎)

• Begun parsing report text to fill in data
  • Starting from Andreas's CPAN::Testers::ParseReport
  • Now have a framework to parallelize jobs over the entire report set
• Started to sync from backpan.perl.org to fill in CPAN Testers's backpan
  • Recovery from last winter's outage
• Initial MCP server for AI agents at https://mcp.cpantesters.org
• Started importing parsed reports into a new Postgres schema
  • Goal is to be able to travel upstream and downstream to aggregate report data

Philippe Bruhat (‎BooK‎)

• released Perl-Version-Bumper 0.256, thanks to the newly added support for dotted bitwise operators in PPI
• discussed implementing a new utility method for PPI (akin to PPIx::Literal), and started implementing it
• attended several meetings: April Task Force, CPAN clients, AI discussion, Perl platforms, Paul Evans (‎LeoNerd‎)'s talks
• rebased the "drop the 5" branch for Perl (PPC 0025)
• several PTS organiser discussions and tasks, including for 2027
• recorded over 5 hours of interviews for The Underbar podcast: Configure (H.Merijn Brand (‎Tux‎)), Vienna.pm, PPI (Christian Walde (‎Mithaldu‎)), the PSC, Karl Williamson.

Kenichi Ishigaki (‎charsbar‎)

• published accumulated local changes on CPANTS
  • bumped javascript libraries (notably, bootstrap from 3 to 5)
  • restored old API endpoints
• implemented a new API application for PAUSE
• made several pull requests to PAUSE
• shipped Parse::LocalDistribution to reflect changes for PAUSE
• asked the maintainer of Encode to cut a release
• joined a few discussions

Thomas Baugh (‎Andy‎)

• Helped out exodist with the Test2::Harness refactors on the 2.0 branch.
  • Very near to completion
  • I still need to finish polishing/testing preloads feature ;_;
• Learned how to use koanbot from atoomic
• For fun vibecoded a test runner script based on MCE and Log::Dispatch.
  • https://github.com/Troglodyne-Internet-Widgets/perl-app-prover
  • Slightly faster than App::Prove when using concurrency (surprising for basically an experiment)
  • I plan to use it to try to make benchmarks with once Test2::Harness rework is done.

Shawn Sorichetti (‎hide‎)

• Migrated all MetaCPAN secrets from SealedSecrets to External Secrets Operator backed by 1Password, eliminating per-cluster encrypted-blob duplication and removing secrets (even encrypted ones) from the git repo entirely
• Migrated every SealedSecret across the platform: cert-manager (Cloudflare DNS), ArgoCD (GitHub OAuth), loki, kube-prometheus, kube-thanos, and application secrets for web, api, test-smoke, and backpan-syncer
• Refactored ExternalSecrets from environments/prod/ into each app's base/ with namespace injection via Kustomize overlays, verified byte-identical kustomize build output before and after
• Switched ArgoCD repo access to GitHub App authentication after the OAuth secret transition
• Stood up a full parallel production stack (prod-hz) on Hetzner/CloudFleet running all seven MetaCPAN apps as a blue/green shadow of the DigitalOcean cluster - launched without SealedSecrets ever being deployed to it
• Built per-app environments/prod-hz/ Kustomize overlays plus separate ArgoCD AppProject and Application definitions targeting the hz cluster
• Installed the platform layer via a vendored Helm pattern (Makefile + values.yaml + checked-in vendor/) for ArgoCD, Hetzner CSI driver, CloudNative PG operator, and the CloudFleet node autoprovisioner - making installs reproducible without runtime internet pulls
• Wrote a Python script to query Datadog for P95 CPU and memory across all workloads and generate tuned resource requests, so the hz cluster launched with data-driven sizing instead of guesses; documented the methodology in scripts/README.md
• Pinned all hz workloads to Germany via nodeAffinity on topology.kubernetes.io/region (fsn1, nbg1), aligned with the CloudFleet NodePool restriction
• Added topologySpreadConstraints to web for even pod distribution across German availability zones; pinned backpan-syncer, grep, and test-smoke specifically to Frankfurt for storage locality
• Added PodDisruptionBudgets (maxUnavailable: 1) to web and web-search in the base, guaranteeing at least two pods serve traffic during voluntary disruptions in any cluster
• Set ServerSideDiff as the cluster-wide ArgoCD default, eliminating spurious diffs caused by ESO operator-injected fields
• Added ignoreDifferences rules covering PVC post-binding fields, eight ESO webhook-injected fields on ExternalSecret, Karpenter NodePool CRD defaults, and DatadogAgent operator-version fields - fixing perpetual OutOfSync states across both clusters
• Replaced the hardcoded overlay list in the validate-manifests CI workflow with find-based autodiscovery, picking up six previously unvalidated overlays and removing three stale ones
• Removed the legacy self-hosted monitoring stack (loki, kube-prometheus, kube-thanos, vector-agent) from the repository, completing the migration to Datadog and unblocking CI
• Updated the set-image automation workflow to update both prod and prod-hz in the same commit, preventing immediate post-launch drift between clusters

Olaf Alders (‎oalders‎)

• The bulk of my time was spent working with Salve on a significant funding proposal for CPAN security work
• Merged some pull requests for perlimports and released a new version to CPAN
• Merged some code I had written to add a new MetaCPAN API endpoint: /download_url/distribution/{distribution}
• Looked into adding GFM (GitHub Flavored Markdown) support to MetaCPAN. I have a proof of concept in place and discussed it with Graham Knop (‎haarg‎)
• Recorded 2.5 podcast episodes of The Underbar with BooK

Karl Williamson

• Got past a sticking point to releasing the next version of Devel::PPPort
• Gave a talk on the new API in 5.44 for XS code to use in handling UTF-8.
• Attended talk by Paul Evans (‎LeoNerd‎) on classes and roles
• H.Merijn Brand (‎Tux‎) clarified for me an underdocumented Configure behavior, which will lead to fixing a bug.
• With Leon Timmermans (‎leont‎)'s help, came up with a proposal for replacing PERL_NO_SHORT_NAMES (which has been broken for many releases) with new functionality that achieves the same aim, but signficantly easier to use.
• Tried to raise awareness of Unicode security issues
• Many many useful discussions
• Met many people whom I had long hoped to meet
• Was interviewd by Philippe Bruhat (‎BooK‎) and Olaf Alders (‎oalders‎)

Leo Lapworth (‎ranguard‎)

• Discussed long-term Test::Smoke management and hosting with H. Merijn Brand (Tux) and Todd Rinaldo (toddr); toddr has mostly rewrite it to a single container using SQLite and local files.
• Paired with Shawn Sorichetti (hide) on migrating MetaCPAN from DigitalOcean to Hetzner and reorganising Kubernetes for multiple environments; reviewed his changes for fast iteration.
• Talked with Paul Johnson (pjcj) about Devel::Cover hosting and container design for future efficiency and scalability.
• Joined MetaCPAN team and CPAN security team discussions on issues flagged by recent security reports.
• Side work: contributed to the Nono Sandbox tool (PR #812) and joined conversations and talks on AI in the context of Perl modules and publishing.