Bug#942851: perl-modules-5.30: CPAN.pm is insecure by default, no warnings
Vincent Lefevre
vincent at vinc17.net
Thu Oct 24 10:00:28 BST 2019
On 2019-10-23 22:20:04 +0300, Niko Tyni wrote:
> So as I understand this, verifying CHECKSUMS would be the thing to do,
> and setting 'check_sigs' wouldn't really help (only deployed partially
> and no web of trust to the module authors).
Indeed, and even if check_sigs is set, it is ignored if the module is
not signed (instead of getting a failure). But CHECKSUMS needs to be
downloaded from a reliable website (I assume that www.cpan.org is) and
in a secure way (https, not http).
> From a cursory look it looks to me like cpanm from src:cpanminus verifies
> CHECKSUMS if Module::Signature (src:libmodule-signature-perl, bundles a
> recent PAUSE public key) is installed, but CPAN.pm doesn't. But I might
> be wrong.
I can see that, by default, CHECKSUMS is verified, if I understand
correctly:
[...]
Running install for module 'XML::TreePP'
Fetching with LWP:
http://www.cpan.org/authors/id/K/KA/KAWASAKI/XML-TreePP-0.43.tar.gz
Fetching with LWP:
http://www.cpan.org/authors/id/K/KA/KAWASAKI/CHECKSUMS
Checksum for /home/vlefevre/.cpan/sources/authors/id/K/KA/KAWASAKI/XML-TreePP-0.43.tar.gz ok
[...]
However, with the default urllist value, it is downloaded using http
(not https). One needs to set urllist to
[q[https://www.cpan.org/]]
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the Perl-maintainers
mailing list