develooper Front page | perl.perl5.porters | Postings from June 2022

Re: Pre-RFC: support https out-of-the-box

Thread Previous | Thread Next
From:
gregor herrmann
Date:
June 17, 2022 00:16
Subject:
Re: Pre-RFC: support https out-of-the-box
Message ID:
YqvH1ijZvyaZUiZM@jadzia.comodo.priv.at
On Wed, 15 Jun 2022 02:52:01 +0000, Oodler 577 via perl5-porters wrote:

> > options:
> >  1. bundle modules, look for openssl (and poss other libs)
> >  2. bundle an SSL lib and modules such as Mbed TLS, WolfSSL
> >  3. Go with Curl, as it can work with a range of SSL libraries
> >  4. work with various SSL programs (wget, curl, etc)
> >  5. anything else?
> As a user, concur that #1 seems to be the most reasonable, with the caveat
> that IO::Socket::SSL provided by MAJOR packages be factored in somehow. I suspect
> distros like Debian/Ubuntu would necessarily want to strip this out somehow
> given they strip out things like perldoc into separate packages. But, knowing
> that my opinion means nothing, I'd place much more emphasis on opinions pkg folks
> from Debian, OpenBSD, FreeBSD, and pkgsrc (NetBSD), etc

I can't speak for Niko and Dom, who are the maintainers of perl
itself in Debian (but they're subscribed here, so can add to my
comments), still some thought from a CPAN->Debian packager:

* Having TLS/https in perl sounds nice.
* We are not packaging Mozilla::CA, because we have the very same
  certs in the ca-certificates package (and duplication, skew,
  duplicate efforts, security updates, you name it).
  When a CPAN dist requires Mozilla::CA we patch it, and I'm pretty
  sure the same would happen if perl included Mozilla::CA
  unconditionally.
  So for us any solution which probes for CA certs or has a configure
  option or whatever would be nice.
* This whole discussion about HTTPS is completely in vain, as long as
  HTTP::Tiny doesn't verify the certificates.
  Cf. https://github.com/chansen/p5-http-tiny/issues/134 

Cheers,
gregor


-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About