Re: PSC #106 2023-05-05

On Sat, May 06, 2023 at 08:33:38AM +0200, Philippe Bruhat (BooK) wrote:
> ## Installing modules securily with Perl default install
> 
> As much as we want HTTPS support in core, we can't have it for v5.38.
> However, we want a newly installed Perl + CPAN.pm to be secure by
> default. Currently this is not the case because `HTTP::Tiny` does not
> use SSL normally, and even when installed it does not set
> `verify_SSL` to true.
> 
> `HTTP::Tiny` should be secure by default (set `verify_SSL` to true,
> complain if there are no root CAs available).
> 
> CPAN.pm is a far more complex question because its code is a deep twisty
> maze of years of piled-up workarounds and legacy code (FTP by default?),
> and the question of "what should this do?" is far less clear-cut. More
> discussions will have to be had with more people who are deeper
> involved, to work out what would be best.
> 
> We should do this **ASAP**, as it is a release blocker.

Hi, this thread has just been brought to my attention. I looked at
HTTP::Tiny and default HTTPS a few years ago. In Debian we never actually
got around to applying the patch - we are relunctant to carry such
divergent patches around and it became obvious that the maintainer of
HTTP::Tiny didn't agree: https://github.com/chansen/p5-http-tiny/issues/134

Has the discussion with the maintainer moved on since then? Are we likely
to see this in 5.38?

I still believe that it's the right approach, and I support this change
being made.

In any case, the patch linked from that issue is as far as I know
tested and working, should it be useful.

Cheers
Dominic

• PSC #106 2023-05-05 by book
• Re: PSC #106 2023-05-05 by Dominic Hargreaves
• Re: PSC #106 2023-05-05 by Lukas Mai