Bug#942851: perl-modules-5.30: CPAN.pm is insecure by default, no warnings
Niko Tyni
ntyni at debian.org
Sat Oct 26 17:22:47 BST 2019
Control: tag -1 upstream
On Sat, Oct 26, 2019 at 03:23:43PM +0200, Vincent Lefevre wrote:
> On 2019-10-26 15:45:28 +0300, Niko Tyni wrote:
> > I understand the CHECKSUMS files are PGP signed by the CPAN archive.
> > I was referring to verifying these signatures. Whether the download
> > is https or not is not relevant in for that verification.
>
> This is not documented and the signature does not appear to be
> checked. Or do you have some proof?
I did not claim CPAN.pm checks these signatures. To the contrary,
I specifically said it looks to me like cpanminus does check them
(at least with --verify) but CPAN.pm doesn't.
I'm not sure what proof you expect from me. I only tried to express that
checking those signatures would be my preferred way of fixing this bug.
I learned of their existence from the perlmonks post that I quoted
earlier in this bug.
> Given that, https at least allows one to avoid MITM attacks.
I certainly agree that using https for downloading would be good. Perhaps
that alone would even be a sufficient fix for this issue, though I think
checking the signatures would be even better (and obviously the options
are not mutually exclusive.)
As I already noted in this bug, https CPAN mirrors don't seem to exist,
or at least they are not documented. Perhaps that's just an oversight.
Anyway, as has surely become clear by now I'm not particularly familiar
with CPAN. I don't feel my input is useful here so I will stop now.
Thank you for bringing this upstream. I'll be happy to see this fixed
there and will consider backporting fixes once they exist.
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list