mirror-web icon indicating copy to clipboard operation
mirror-web copied to clipboard
verified publisher icon tuna

Suggestion: mention `pushy_https` in the help of CPAN mirror

Open xry111 opened this issue 3 years ago • 4 comments

Perl-5.36.0 defaults to pushy_https = 1, and with this setting CPAN refuses to use any mirror configured in urllist.

I think we should add o conf pushy_https 0 into the help. (Maybe we also need a note about the possible security implications with this setting?)

xry111 avatar Sep 20 '22 06:09 xry111

It seems that CPAN 2.29 introduced this flag and Perl-5.36.0 upgraded CPAN module from 2.28 to 2.33

pushy_https Boolean. Defaults to true. If this option is true, the cpan shell will use https://cpan.org/ to download stuff from the CPAN. It will fall back to http://cpan.org/ if it can't handle https for some reason (missing modules, missing programs). Whenever it falls back to the http protocol, it will issue a warning.

If this option is true, the option urllist will be ignored. Consequently, if you want to work with local mirrors via your own configured list of URLs, you will have to choose no below.

https://metacpan.org/release/ANDK/CPAN-2.29/view/lib/CPAN/FirstTime.pm

CPAN has been upgraded from version 2.28 to 2.33.

https://perldoc.perl.org/perldelta

As indicated by our help doc, to configure CPAN, it must first create MyConfig.pm using mkmyconfig, which will use cpan.org instead of our mirror to bootstrap.

I've managed to bootstrap with our mirror site using the following command

PERL_MM_USE_DEFAULT=1 perl -MCPAN -e 'CPAN::HandleConfig->edit("pushy_https", 0); CPAN::HandleConfig->edit("urllist", "unshift", "https://mirrors.tuna.tsinghua.edu.cn/CPAN/"); mkmyconfig'

I think we should add o conf pushy_https 0 into the help.

Indeed.

(Maybe we also need a note about the possible security implications with this setting?)

What's your opinion on security implications that should be noted? It seems that CPAN itself does not give notes on security implications.

ZenithalHourlyRate avatar Sep 20 '22 15:09 ZenithalHourlyRate

The addition of pushy_https is an action to fix some security vulnerabilities, details at http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html.

I guess the content of security note should depend on "how much level a normal user can trust the integrity of TUNA mirror". I don't know the infrastructure of TUNA mirror very well so I don't have any specific opinion here...

One thing is certain: anyone should not use http://mirrors.tuna.tsinghua.edu.cn/CPAN (https:// should be used instead). The URL in the help is already https anyway.

xry111 avatar Sep 22 '22 06:09 xry111

The addition of pushy_https is an action to fix some security vulnerabilities, details at http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html.

It seems that cpan can check the gnupg signature, so as long as the public key is not from TUNA, and the user enables check_sigs option, the file they get should be authentic.

Maybe we could add a note before the help doc just like https://mirrors.tuna.tsinghua.edu.cn/help/fedora/ have done and tell the user to enable check_sigs option to get a better security guarantee.

ZenithalHourlyRate avatar Sep 22 '22 11:09 ZenithalHourlyRate

tell the user to enable check_sigs option to get a better security guarantee.

It seems non-trivial.

For bootstrapping with check_sigs set to 1, cpan will suggest

  CPAN: Module::Signature security checks disabled because Module::Signature
  not installed.  Please consider installing the Module::Signature module.
  You may also need to be able to connect over the Internet to the public
  key servers like pool.sks-keyservers.net or pgp.mit.edu.

The user must bootstrap from cpan.org and install Module::Signature from cpan.org first, then they can install packages with sig from TUNA.

ZenithalHourlyRate avatar Sep 22 '22 11:09 ZenithalHourlyRate