develooper Front page | perl.perl5.porters | Postings from May 2023

Re: PSC #106 2023-05-05

Thread Previous | Thread Next
Dominic Hargreaves
May 22, 2023 15:23
Re: PSC #106 2023-05-05
Message ID:
On Sat, May 06, 2023 at 08:33:38AM +0200, Philippe Bruhat (BooK) wrote:
> ## Installing modules securily with Perl default install
> As much as we want HTTPS support in core, we can't have it for v5.38.
> However, we want a newly installed Perl + to be secure by
> default. Currently this is not the case because `HTTP::Tiny` does not
> use SSL normally, and even when installed it does not set
> `verify_SSL` to true.
> `HTTP::Tiny` should be secure by default (set `verify_SSL` to true,
> complain if there are no root CAs available).
> is a far more complex question because its code is a deep twisty
> maze of years of piled-up workarounds and legacy code (FTP by default?),
> and the question of "what should this do?" is far less clear-cut. More
> discussions will have to be had with more people who are deeper
> involved, to work out what would be best.
> We should do this **ASAP**, as it is a release blocker.

Hi, this thread has just been brought to my attention. I looked at
HTTP::Tiny and default HTTPS a few years ago. In Debian we never actually
got around to applying the patch - we are relunctant to carry such
divergent patches around and it became obvious that the maintainer of
HTTP::Tiny didn't agree:

Has the discussion with the maintainer moved on since then? Are we likely
to see this in 5.38?

I still believe that it's the right approach, and I support this change
being made.

In any case, the patch linked from that issue is as far as I know
tested and working, should it be useful.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About