develooper Front page | perl.qa | Postings from February 2015

Re: HTTPS, CPAN, and dist integrity

Thread Previous | Thread Next
From:
Michiel Beijen
Date:
February 4, 2015 07:18
Subject:
Re: HTTPS, CPAN, and dist integrity
Message ID:
CABD0r113BGb=pR4ska_EQpE+AJaCxrySKG_kZ4c8BsRgRnaO=g@mail.gmail.com
Absolutely correct! I forgot about that; it is used for perl < 5.14 where
there is no HTTP::Tiny or LWP in core. And yes, this would be the best way
to go about this I think.

Can anyone fill in on the feasibility of directing all cpan cients to *one*
site, i.e. https://cpan.metacpan.org/ ?
--
Michiel

Op woensdag 4 februari 2015 heeft Mike Doherty <mike@mikedoherty.ca> het
volgende geschreven:

> Doesn't cpan know how to use curl or wget if the system has it installed?
> Probably easier to bootstrap TLS support in perl that way.
>
> -Mike
>
> On Feb 3, 2015 2:26 PM, "Michiel Beijen" <michiel.beijen@gmail.com> wrote:
>
>> Hi,
>>
>> This Saturday at FOSDEM in the hallway I had some discussions with
>> leont, Tux and later also with .. oh I guess that was RJBS? I did not
>> introduce myself, very bad. Hi!
>>
>> Basically I think the whole CPAN setup with 200+ mirrors sounded great
>> back in the 1990s and it is still widely touted as a feature of CPAN.
>> But I'm a bit concerned about package integrity.  Most Linux
>> distributions (where the packages and ISOs are typically LOTS bigger)
>> who use mirrors have a system in place where they verify their
>> packages with GPG keys. If you do that then having many mirrors
>> outside of your control using plain HTTP is not a problem, but Perl
>> does not *really* have something like that. Yeah of course there is
>> the signatures list, which is GPG signed, but this signature is not
>> checked 'out of the box' as far as I know.
>>
>> So assuming you can't really verify the integrity of a module on a
>> mirror from the client, I think it would be best not to use any
>> mirrors.
>> As far as I know, with StrawberryPerl or a client like cpanm, you only
>> use one mirror anyway. Maybe the parties involved can share how much
>> bandwith it takes them to see if it would be feasible to switch to
>> *one* source for CPAN with possibly a CDN underneath. The metacpan
>> seems to have a decent CDN now, has SSL certificates and a complete
>> index. I think they should be able to handle the additional data, but
>> this is just based on my gut feeling of scale of the thing, average
>> dist size, and such and not on actual facts.
>>
>> The other problem is how to securely connect to the mirror. There is
>> no support for SSL in core perl. But I think in many cases, it would
>> be an acceptable solution to install IO::Socket::SSL from your linux
>> distro's distribution, and then have the CPAN client 'auto-select' the
>> https version of the cpan mirror. If desired the CPAN client could
>> complain about not having SSL when IO::Socket::SSL is not installed.
>>
>> Please let me know if this would be feasible and what your concerns would
>> be.
>>
>> I'd be willing to contribute patches to the cpanpm client to use HTTPS
>> if available, and to rip out the mirrorlist stuff.
>> --
>> Michiel
>>
>

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About