Bug#954044: libcpan-perl-releases-perl: Please verify server identity via SSL
Salvatore Bonaccorso
carnil at debian.org
Wed Apr 29 07:46:44 BST 2020
Control: severity -1 wishlist
Hi,
On Sun, Mar 15, 2020 at 06:44:19PM -0700, Felix Lechner wrote:
> Package: libcpan-perl-releases-perl
> Severity: important
>
> Dear maintainer,
>
> Your package uses the Perl module HTTP::Tiny (admittedly with plain
> http://) but it does not set the verify_SSL attribute to a true value.
>
> By default, that module does not validate the identity of server
> certificates. The documentation states that "Server identity
> verification is controversial and potentially tricky..." [1]
>
> As late as 2015, upstream has been doubling up: "we're not going to be
> responsible for the user's trust model" [2]
>
> I believe, on the other hand, that the encryption of a transmission
> has no value when talking to the wrong person. You can easily see the
> useless and dangerous default by running the script at the end of this
> message.
>
> Will you please turn on the verify_SSL attribute in HTTP::Tiny?
Unless mistaken, HTTP::Tiny is only used in tools/ which are installed
as examples on how one can potentially use CPAN::Perl::Releases.
Still, this should be adressed, but we won't diverge here from
upstream, so this should be reported upstream/forwarded and then once
fixed upstream close the bug.
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list