Bug#764868: IO::Socket::SSL - external tests in test suite can be disabled but are enabled by default
Steffen Ullrich
sullr at cpan.org
Sat Oct 11 21:12:52 UTC 2014
Hi,
I'm the maintainer of IO::Socket::SSL and I've just found your serious
problem report about IO::Socket::SSL doing network connections to external
sites during testing.
IO::Socket::SSL will ask during the build, if the tests should be run and
you can deny running external tests. But, the default is true for the
following reason:
To make it secure by default an SSL library must have a usable set of
trusted CAs. IO::Socket::SSL tries to use the system CA store (i.e.
/etc/ssl/certs in Debian) to integrate with the rest of the system.
Of course it needs to be verified, that the default CA is usable for common
tasks, that is it must provide the trusted CA for common targets.
The best way is to actually try to connect against these targets and make
sure the connection can be verified. The tests will detected SSL
intercepting proxies or other problems and disable further tests in these
cases.
I can understand that you are not comfortable to let arbitrary tests connect
to external sites in all situations. But, in my opinion, anybody who does not
like this should run any builds and tests within restricted environments
without or with only limited network access anyway.
Apart from that I'm happy to check any kind of environment variables which
would indicate that the user is not willing to run external tests. Just let
me know the details.
Regards,
Steffen
More information about the pkg-perl-maintainers
mailing list