search

Perl / docker-perl

Dockerfiles for index.docker.io (official Perl Docker image)
https://registry.hub.docker.com/_/perl/
Artistic License 2.0
119 stars 51 forks source link

Ensure cpanm downloads modules over HTTPS #164

Closed dgl closed 2 months ago

dgl commented 3 months ago

Currently cpanminus defaults to using http, it doesn't know enough about the environment it is in for that to be possible to change (yet). Note that cpm does use HTTPS by default, so it's a potentially surprising difference depending which package manager is picked.

However, this image knows it has ca-certificates and a way to download over HTTPS, so it can default the mirror to the HTTPS version of the default URL. This is roughly following the suggestion from https://github.com/miyagawa/cpanminus/issues/611#issuecomment-648642186 -- except using only --mirror and without the --verify part.

If Module::Signature was installed it would be possible to add --verify too, although there is a chain of trust issue there as well as needing more tools in the image (gpg), unless we also use the approach in #163 for Module::Signature and its deps.

tl;dr: This is the most minimal change that I think slightly raises the security bar.

waterkip commented 3 months ago

We have reverted it in the past because of several issues. See https://github.com/Perl/docker-perl/pull/115 for a discussion on those. I don't think we can merge this, sorry.

dgl commented 3 months ago

@waterkip this is very carefully not setting --mirror-only or --from; it avoids the issue the revert was needed for. It uses https:// URLs for the CPAN meta DB search and and the CPAN download, it does not change anything about backpan (which will still use HTTP for now).

dgl commented 3 months ago

Basic sanity test with the issue from #116:

root@b94a07ba268d:~# export PERL_CPANM_OPT="-M https://www.cpan.org"
root@b94a07ba268d:~# cpanm App::cpm@0.997002
Found App::cpm 0.997017 which doesn't satisfy == 0.997002.
root@b94a07ba268d:~# export PERL_CPANM_OPT="--cpanmetadb https://cpanmetadb.plackperl.org/v1.0/ --mirror https://www.cpan.org"
root@b94a07ba268d:~# cpanm App::cpm@0.997002
--> Working on App::cpm
Fetching http://backpan.perl.org/authors/id/S/SK/SKAJI/App-cpm-0.997002.tar.gz ... OK

So backpan works, the download happens over HTTP, but there's not an option for that until cpanminus supports it properly.

zakame commented 3 months ago

Hi @dgl, thanks for the PR!

There's actually some upstream work being done with this, cc @stigtsp @garu https://github.com/miyagawa/cpanminus/pull/674

To add with what @waterkip said, the core issue with using ENV PERL_CPANM_OPT is that it can violate the principle of least astonishment: someone or something downstream calling cpanm can break down because it is not expected for this environment variable to be set. A good example would be someone using their own DarkPAN first before the standard CPAN (regardless of HTTP/S) - as it stands in https://github.com/miyagawa/cpanminus/blob/96fd87ebbcc565ed9f367e7486af401b10182c38/Menlo-Legacy/lib/Menlo/CLI/Compat.pm#L152-L153, setting an HTTPS mirror first through the variable would break this.

At the moment, I'd rather propose using App::cpm for doing installs if HTTPS is strongly preferred, since that already uses HTTPS by default - I am considering amending the documentation here and in https://github.com/docker-library/official-images to use cpm install instead of cpanm.