develooper Front page | perl.qa | Postings from February 2015

HTTPS, CPAN, and dist integrity

Thread Next
From:
Michiel Beijen
Date:
February 3, 2015 22:25
Subject:
HTTPS, CPAN, and dist integrity
Message ID:
CABD0r11Hwbsy_FmeZBhGwLiyArD0EXTpT2EiqY2=bCCYKtQVew@mail.gmail.com
Hi,

This Saturday at FOSDEM in the hallway I had some discussions with
leont, Tux and later also with .. oh I guess that was RJBS? I did not
introduce myself, very bad. Hi!

Basically I think the whole CPAN setup with 200+ mirrors sounded great
back in the 1990s and it is still widely touted as a feature of CPAN.
But I'm a bit concerned about package integrity.  Most Linux
distributions (where the packages and ISOs are typically LOTS bigger)
who use mirrors have a system in place where they verify their
packages with GPG keys. If you do that then having many mirrors
outside of your control using plain HTTP is not a problem, but Perl
does not *really* have something like that. Yeah of course there is
the signatures list, which is GPG signed, but this signature is not
checked 'out of the box' as far as I know.

So assuming you can't really verify the integrity of a module on a
mirror from the client, I think it would be best not to use any
mirrors.
As far as I know, with StrawberryPerl or a client like cpanm, you only
use one mirror anyway. Maybe the parties involved can share how much
bandwith it takes them to see if it would be feasible to switch to
*one* source for CPAN with possibly a CDN underneath. The metacpan
seems to have a decent CDN now, has SSL certificates and a complete
index. I think they should be able to handle the additional data, but
this is just based on my gut feeling of scale of the thing, average
dist size, and such and not on actual facts.

The other problem is how to securely connect to the mirror. There is
no support for SSL in core perl. But I think in many cases, it would
be an acceptable solution to install IO::Socket::SSL from your linux
distro's distribution, and then have the CPAN client 'auto-select' the
https version of the cpan mirror. If desired the CPAN client could
complain about not having SSL when IO::Socket::SSL is not installed.

Please let me know if this would be feasible and what your concerns would be.

I'd be willing to contribute patches to the cpanpm client to use HTTPS
if available, and to rip out the mirrorlist stuff.
--
Michiel

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About