search

andk / cpanpm

CPAN.pm
87 stars 79 forks source link

First pass at adding HTTPS support to CPAN. #119

Open dweekly opened 6 years ago

dweekly commented 6 years ago

To address https://github.com/andk/cpanpm/issues/118

Adds HTTPS to MIRRORED.BY and enforces cert checks with LWP using Mozilla::CA.

MartinMcGrath commented 4 years ago

https support, and a having a default urllist pointing to an https site seems like a great thing to have.

References:

https://perlmonks.org/?node_id=11108980

https://rt.cpan.org/Public/Bug/Display.html?id=130819

dweekly commented 4 years ago

May want to consider adding LWP::Protocol::https as a new preferred-but-optional dependency? Wasn't sure of the best place to add that.

andk commented 4 years ago

Oh, sorry, I haven't been paying enough attention, not sure how it happened. Now I looked and I'm not happy when I see such a line in a patch:

+               map { $->can( 'https' ) ? $_->https : $_->http } @mirrors

Probably not tested? I'm also not happy, when http is simply replaced with https, it should be a seamless fallback when people have broken https support or do not want to use https. I'm not sure how to do this right either or I would have taken care of this sooner.

dweekly commented 4 years ago

Hi, @andk! Thanks for the feedback and review.

Let me: A) Fix the typo. B) Add more tests. C) Handle if HTTPS is not available gracefully.

Do you think there should be a config setting to disable HTTPS?

andk commented 4 years ago

On Tue, 19 May 2020 09:34:03 -0700, "David E. Weekly" notifications@github.com said:

Hi, @andk! Thanks for the feedback and review. Let me: A) Fix the typo. B) Add more tests. C) Handle if HTTPS is not available gracefully.

Thank you, I'm looking forward to another PR.

Do you think there should be a config setting to disable HTTPS?

I think this is most probably a good way forward.

Thanks again and good luck, -- andreas

dweekly commented 4 years ago

@andk Before proceeding much further, I thought it would be helpful to articulate the vision and plan here to get your input on the direction: https://docs.google.com/document/d/1DRkiCJhJu4RDI0u_JppBpFa0djouskxEyNHax912U_w/edit?usp=sharing

andk commented 4 years ago

Thanks a lot. I think I'm through with commenting now. I have added 5 comment boxes

Grinnz commented 3 years ago

@dweekly FYI, some sections of that document are now resolved by nature of the CPAN mirror network now being redundant - see https://log.perl.org/2021/02/cpan-mirror-list-changes.html

dweekly commented 3 years ago

@dweekly FYI, some sections of that document are now resolved by nature of the CPAN mirror network now being redundant - see https://log.perl.org/2021/02/cpan-mirror-list-changes.html

@Grinnz - thanks for flagging. I think it's fair that dealing with a diversity of CPAN endpoints will now be moot with the deprecation of the MIRRORED.BY list, but CPAN should still ensure that the connection to www.cpan.org is secure and authenticated (namely, using >=TLS 1.2 with hostname verification to ensure you're talking to the real CPAN.org) in order to close off a range of MITM attacks on Perl users and services.