develooper Front page | perl.perl5.porters | Postings from December 2021

Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box

Thread Previous | Thread Next
From:
Oodler 577 via perl5-porters
Date:
December 3, 2021 18:12
Subject:
Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box
Message ID:
YapeApjlfURYbnCF@odin.sdf-eu.org
* Martijn Lievaart <m@rtij.nl> [2021-12-03 17:35:17 +0100]:

> Op 03-12-2021 om 17:13 schreef Tomasz Konojacki:
> > On Fri, 3 Dec 2021 12:41:08 +0100
> > Salvador Fandino <sfandino@gmail.com> wrote:
> > 
> > > In this regard, and in the context of just bootstrapping a CPAN client, I think that using standalone TLS/HTTPS clients should be also considered.
> > > 
> > > Getting Net::SSLeay to compile against OpenSSL (or any other SSL client library) can be pretty difficult, but just wrapping something like "openssl s_client" command is mostly trivial. "socat", "curl" or "wget" are other options.
> > CPAN.pm already uses wget or curl when IO::Socket::SSL isn't available
> > and a https mirror was requested.
> > 
> 
> In that case, a major reason for getting ssl in core went away, and it is
> indeed just one of the features we may or may not add, like the csv support
> I requested.

cpanm uses http by default, though during the recent root CA letsencrypt-alypse 
I ran into this issue described here (and closed with workaround):

> 'need option to pass option to "don't verify SSL" to underlying download method (wget, curl, _lwp_)'
> https://github.com/miyagawa/cpanminus/issues/634

And while I do support a existing tools-based approach, this is not going to
be 100% foolproof since we're dealing with many realms outside of just the
perl domain.

Lastly, if we're going to rely on a tool that is not universially installed (not
even wget or curl is this reliably installed), our final logical backstop will
remain being the easiest way to get things on a computer, i.e., the native
package manager. Unfortunately in this case, I can't see how perl can be able
to accomplish this in a vacuum; so we may wish to consider diligence on the upstream
end to track what perl related stuff is: a) provided in a "base" (including "min")
install and b) whats available in the package manager.

Cheers,
Brett

> 
> 
> HTH,
> 
> M4
> 
> 

-- 
--
oodler@cpan.org
oodler577@sdf-eu.org
SDF-EU Public Access UNIX System - http://sdfeu.org
irc.perl.org #openmp #pdl #native

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About