Control: severity -1 wishlist Hi,
On Sun, Mar 15, 2020 at 06:44:19PM -0700, Felix Lechner wrote: > Package: libcpan-perl-releases-perl > Severity: important > > Dear maintainer, > > Your package uses the Perl module HTTP::Tiny (admittedly with plain > http://) but it does not set the verify_SSL attribute to a true value. > > By default, that module does not validate the identity of server > certificates. The documentation states that "Server identity > verification is controversial and potentially tricky..." [1] > > As late as 2015, upstream has been doubling up: "we're not going to be > responsible for the user's trust model" [2] > > I believe, on the other hand, that the encryption of a transmission > has no value when talking to the wrong person. You can easily see the > useless and dangerous default by running the script at the end of this > message. > > Will you please turn on the verify_SSL attribute in HTTP::Tiny? Unless mistaken, HTTP::Tiny is only used in tools/ which are installed as examples on how one can potentially use CPAN::Perl::Releases. Still, this should be adressed, but we won't diverge here from upstream, so this should be reported upstream/forwarded and then once fixed upstream close the bug. Regards, Salvatore

