Bug#954089: libplack-perl: Please verify server identity via SSL
Damyan Ivanov
dmn at debian.org
Sun May 17 16:39:34 BST 2020
-=| gregor herrmann, 15.05.2020 21:14:35 +0200 |=-
> On Thu, 19 Mar 2020 14:39:13 +0200, Damyan Ivanov wrote:
>
> > > > But to fully measure the impact, it would be nice to have the number
> > > > of failing packages built with a patched HTTP::Tiny.
> > > I have one small concern: As the change is about checking remote SSL
> > > certs, and tests don't/can't/must not call out to the internet, is it
> > > possible that we won't really catch all potential issues?
> > Noted. The test rebuilds should be done without the usual isolation
> > from the Internet.
> > I guess a closer inspection of the affected packages is needed.
>
> Hi Dam and all,
>
> did you or anyone else get to look into this rebuild effort?
I haven't. I am still at the stage of "(re-)invent an easy way to
rebuild a list of packages with a crafted chroot". I don't see this
changing soon, so please Dom, anybody, feel free to take the job.
> If not, Dom said that he could also try the rebuilds on
> perl.debian.net.
>
> Notes:
> - HTTP::Tiny is in perl core and in libhttp-tiny-perl;
> - The required change looks like a one-character-patch:
> lib/HTTP/Tiny.pm: verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default
> - The tests should be run with internet enabled as much as possible.
-- dam
More information about the pkg-perl-maintainers
mailing list