CPAN StarJacking

Rationale

StarJacking¹ is an undertaking to make people prefer a module because of manipulated popularity.

While a known topic, checking CPAN for “StarJacking” was mainly the result of the attention drawn to it thanks to experiments² by Eugene Rojavski (EUGENER).

How to choose what CPAN module to depend on?

CPAN has such a huge collection of modules available it’s sometimes difficult to make a decision about the best one to use.

There are curated lists of recommendations available, like the Task::Kensho project, @hachiojipm’s Awesome Perl list, and @uhub’s Awesome Perl (again). While these lists are quite useful for assisting in the selection and procurement process, they cannot cover all needs.

Module namespaces may also help, for instance the Mojo::* module namespace should, by convention, mainly using contain Mojo inner circle modules. Similarly, *::Tiny modules should, by convention, be smaller alternative to other modules of the same purpose.

Author recognition also plays an important role in the user’s perception of trust and credibility due to several human biases such as the Halo Effect and general familiarity favoritism: if you know or trust a module from a certain author, other modules published by that same person are more likely to be considered.

On top of that, some indicators of quality (build reports, known issues) and activity (maintenance) may be taken into account.

Popularity indicators

Beyond reputation (module and/or author), MetaCPAN provides some popularity indicators for CPAN modules:

Indicator	Example	Notes
++
River		River of CPAN position

Quality indicators

Some other indicators can help in the choice but give more informations about quality:

Indicator	Example	Notes
Issues
CPANTesters
Bus factor

StarJacking

StarJacking refers to the trust that VCS stars provide to a module.

By reusing the popularity of another project, unrelated to the module, and exploiting the non-verification of the link (metadata), an attacker can make a module appear much more popular than it actually is.

Other ecosystems like PyPI and npm are also impacted by this problem.

Like many other programming language ecosystems, we can attach “metadata” such as a public repository, website and issue tracker URLs to CPAN packages.

It has to be done directly in the release metadata.

Example of using resources metadata pointing to a popular project, for instance in META.yml

META_MERGE   => {
    resources => {
        repository => {
            type => 'git',
            url  => 'https://github.com/popular/lot-of-stars.git',
            web  => 'https://github.com/popular/lot-of-stars',
        },
        bugtracker => {
            web => 'https://github.com/popular/lot-of-stars-and-tickets',
        },
    },
},

Read CPAN add link to version control system for more about how to set the metadata.

CPAN metadata is effectively unverified.

PyPI now implements a mechanism for verifying metadata with Project Metadata Verifications:

Or it can warn you about metadata information being “unverified”:

Back to MetaCPAN, the outcome is that GitHub/Gitlab/… numbers are almost invisible in MetaCPAN. For instance, for a module with more than 200 stars in GitHub:

Only issues are visible, but how can issues help in StarJacking?

Still, we can get more details on metadata by hovering over Repository:

As a conclusion, CPAN is not impacted even though CPAN modules can provide inaccurate or incorrect metadata.

It’s because GitHub’s popularity is not strongly enough propagated to MetaCPAN, so lying on metadata (in a particular repository) does not bring any real advantage over other modules.

PlusPlusJacking

MetaCPAN package popularity uses an independant indicator, the “++” (PlusPlus).

++ are sent by other CPAN authors.

Manipulation of a PlusPlus score is arguably possible but not straightforward, as it requires the registration of several new accounts, which is a human-reviewed process.

And creations of authors requires a request and manual acceptance by CPAN admins.

RiverJacking

See the river of CPAN for explanation about the “river” concept.

The river score appears next to the module name in several places:

The river score audience is mostly the maintainers.

The calculation is made externally to PAUSE and MetaCPAN.

Conclusion

CPAN is highly unlikely to be vulnerable to StarJacking because VCS stars are not a factor in how the popularity of a module is determined on MetaCPAN.

Manipulating popularity via other CPAN in-house indicators is possible but not easy to implement.

The very social nature of CPAN (manual acceptance of new users, code reviews of new modules) makes it difficult overall to exploit.