develooper Front page | | Postings from February 2015

Re: HTTPS, CPAN, and dist integrity

Thread Previous | Thread Next
Mike Doherty
February 4, 2015 00:47
Re: HTTPS, CPAN, and dist integrity
Message ID:
Doesn't cpan know how to use curl or wget if the system has it installed?
Probably easier to bootstrap TLS support in perl that way.


On Feb 3, 2015 2:26 PM, "Michiel Beijen" <> wrote:

> Hi,
> This Saturday at FOSDEM in the hallway I had some discussions with
> leont, Tux and later also with .. oh I guess that was RJBS? I did not
> introduce myself, very bad. Hi!
> Basically I think the whole CPAN setup with 200+ mirrors sounded great
> back in the 1990s and it is still widely touted as a feature of CPAN.
> But I'm a bit concerned about package integrity.  Most Linux
> distributions (where the packages and ISOs are typically LOTS bigger)
> who use mirrors have a system in place where they verify their
> packages with GPG keys. If you do that then having many mirrors
> outside of your control using plain HTTP is not a problem, but Perl
> does not *really* have something like that. Yeah of course there is
> the signatures list, which is GPG signed, but this signature is not
> checked 'out of the box' as far as I know.
> So assuming you can't really verify the integrity of a module on a
> mirror from the client, I think it would be best not to use any
> mirrors.
> As far as I know, with StrawberryPerl or a client like cpanm, you only
> use one mirror anyway. Maybe the parties involved can share how much
> bandwith it takes them to see if it would be feasible to switch to
> *one* source for CPAN with possibly a CDN underneath. The metacpan
> seems to have a decent CDN now, has SSL certificates and a complete
> index. I think they should be able to handle the additional data, but
> this is just based on my gut feeling of scale of the thing, average
> dist size, and such and not on actual facts.
> The other problem is how to securely connect to the mirror. There is
> no support for SSL in core perl. But I think in many cases, it would
> be an acceptable solution to install IO::Socket::SSL from your linux
> distro's distribution, and then have the CPAN client 'auto-select' the
> https version of the cpan mirror. If desired the CPAN client could
> complain about not having SSL when IO::Socket::SSL is not installed.
> Please let me know if this would be feasible and what your concerns would
> be.
> I'd be willing to contribute patches to the cpanpm client to use HTTPS
> if available, and to rip out the mirrorlist stuff.
> --
> Michiel

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About