- Document status: ⚠️ DRAFT
- Learn the basics
- Keep your security metadata up-to-date
- Share your security metadata
- Add security tests to your code
- Practice symbol import discipline
- Reduce the amount transitive dependencies
- Ensure you have trusted co-maintainers
- Have a succession plan
- Select an appropriate Open Source license
- License and use of this document
layout: page title: CPAN Author’s Secure Coding Guide description: A security guide for CPAN Distribution Authors toc: true —-
Document status: ⚠️ DRAFT
[!CAUTION] What you see here is a DRAFT of the
CPAN Author's Security Guide
by the CPAN Security Group (CPANSec). As long as this document is in DRAFT, all of the points and ideas below are open to revision, deletion or amending – by you!
- Contribute on Github: https://github.com/CPAN-Security/security.metacpan.org/blob/cpan-author-guide/docs/cpan-author-guide.md
- Discuss on IRC: ircs://ssl.irc.perl.org:7062/#cpan-security
- Discuss on Matrix: https://matrix.to/#/#cpansec:matrix.org
Learn the basics
- Read the perlsec page to familiarize yourself with Perl’s security features
- Read the OpenSSF Open Source Best Practices Badge program, and try to at least achieve a passing badge. (You can also see how well other Perl projects do in this regard!)
Keep your security metadata up-to-date
- Read the CPAN::META::Spec and make sure all relevant fields are correct and up-to-date
Share your security metadata
- Add a security.txt file to your project website
- Add a security policy to your Github project
Add security tests to your code
- Add tests for taintedness to your codebase
Practice symbol import discipline
- Use App::perlimports to get a better idea of what symbols you are using.
Reduce the amount transitive dependencies
- The more modules you depend on, the larger the attack surface you’ll have to defend.
Ensure you have trusted co-maintainers
- Add a co-maintainer in PAUSE
Have a succession plan
- Describe who among your co-maintainers will take over your project if you become unavailable
Select an appropriate Open Source license
- Pick an OSI-approved Open Source license, and add it both to your project repo and other metadata.
Relevant documentation and guides
License and use of this document
- Version: 0.5.1
- License: CC-BY-SA-4.0
- Copyright: © Salve J. Nilsen sjn@oslo.pm, Some rights reserved.
You may use, modify and share this file under the terms of the CC-BY-SA-4.0 license.