Hi, This Saturday at FOSDEM in the hallway I had some discussions with leont, Tux and later also with .. oh I guess that was RJBS? I did not introduce myself, very bad. Hi!
Basically I think the whole CPAN setup with 200+ mirrors sounded great back in the 1990s and it is still widely touted as a feature of CPAN. But I'm a bit concerned about package integrity. Most Linux distributions (where the packages and ISOs are typically LOTS bigger) who use mirrors have a system in place where they verify their packages with GPG keys. If you do that then having many mirrors outside of your control using plain HTTP is not a problem, but Perl does not *really* have something like that. Yeah of course there is the signatures list, which is GPG signed, but this signature is not checked 'out of the box' as far as I know. So assuming you can't really verify the integrity of a module on a mirror from the client, I think it would be best not to use any mirrors. As far as I know, with StrawberryPerl or a client like cpanm, you only use one mirror anyway. Maybe the parties involved can share how much bandwith it takes them to see if it would be feasible to switch to *one* source for CPAN with possibly a CDN underneath. The metacpan seems to have a decent CDN now, has SSL certificates and a complete index. I think they should be able to handle the additional data, but this is just based on my gut feeling of scale of the thing, average dist size, and such and not on actual facts. The other problem is how to securely connect to the mirror. There is no support for SSL in core perl. But I think in many cases, it would be an acceptable solution to install IO::Socket::SSL from your linux distro's distribution, and then have the CPAN client 'auto-select' the https version of the cpan mirror. If desired the CPAN client could complain about not having SSL when IO::Socket::SSL is not installed. Please let me know if this would be feasible and what your concerns would be. I'd be willing to contribute patches to the cpanpm client to use HTTPS if available, and to rip out the mirrorlist stuff. -- Michiel
