cpanpm icon indicating copy to clipboard operation
cpanpm copied to clipboard

Published 20 hours ago verified publisher icon andk

First pass at adding HTTPS support to CPAN.

Open dweekly opened this issue 6 years ago • 9 comments

To address https://github.com/andk/cpanpm/issues/118

Adds HTTPS to MIRRORED.BY and enforces cert checks with LWP using Mozilla::CA.

dweekly avatar May 24 '18 05:05 dweekly

https support, and a having a default urllist pointing to an https site seems like a great thing to have.

References:

https://perlmonks.org/?node_id=11108980

https://rt.cpan.org/Public/Bug/Display.html?id=130819

MartinMcGrath avatar Nov 21 '19 13:11 MartinMcGrath

May want to consider adding LWP::Protocol::https as a new preferred-but-optional dependency? Wasn't sure of the best place to add that.

dweekly avatar May 18 '20 20:05 dweekly

Oh, sorry, I haven't been paying enough attention, not sure how it happened. Now I looked and I'm not happy when I see such a line in a patch:

+               map { $->can( 'https' ) ? $_->https : $_->http } @mirrors

Probably not tested? I'm also not happy, when http is simply replaced with https, it should be a seamless fallback when people have broken https support or do not want to use https. I'm not sure how to do this right either or I would have taken care of this sooner.

andk avatar May 19 '20 08:05 andk

Hi, @andk! Thanks for the feedback and review.

Let me: A) Fix the typo. B) Add more tests. C) Handle if HTTPS is not available gracefully.

Do you think there should be a config setting to disable HTTPS?

dweekly avatar May 19 '20 16:05 dweekly

On Tue, 19 May 2020 09:34:03 -0700, "David E. Weekly" [email protected] said:

Hi, @andk! Thanks for the feedback and review. Let me: A) Fix the typo. B) Add more tests. C) Handle if HTTPS is not available gracefully.

Thank you, I'm looking forward to another PR.

Do you think there should be a config setting to disable HTTPS?

I think this is most probably a good way forward.

Thanks again and good luck,

andreas

andk avatar May 19 '20 17:05 andk

@andk Before proceeding much further, I thought it would be helpful to articulate the vision and plan here to get your input on the direction: https://docs.google.com/document/d/1DRkiCJhJu4RDI0u_JppBpFa0djouskxEyNHax912U_w/edit?usp=sharing

dweekly avatar May 23 '20 00:05 dweekly

Thanks a lot. I think I'm through with commenting now. I have added 5 comment boxes

andk avatar May 24 '20 14:05 andk

@dweekly FYI, some sections of that document are now resolved by nature of the CPAN mirror network now being redundant - see https://log.perl.org/2021/02/cpan-mirror-list-changes.html

Grinnz avatar Mar 11 '21 16:03 Grinnz

@dweekly FYI, some sections of that document are now resolved by nature of the CPAN mirror network now being redundant - see https://log.perl.org/2021/02/cpan-mirror-list-changes.html

@Grinnz - thanks for flagging. I think it's fair that dealing with a diversity of CPAN endpoints will now be moot with the deprecation of the MIRRORED.BY list, but CPAN should still ensure that the connection to www.cpan.org is secure and authenticated (namely, using >=TLS 1.2 with hostname verification to ensure you're talking to the real CPAN.org) in order to close off a range of MITM attacks on Perl users and services.

dweekly avatar Mar 11 '21 18:03 dweekly