Doesn't cpan know how to use curl or wget if the system has it installed? Probably easier to bootstrap TLS support in perl that way.
-Mike On Feb 3, 2015 2:26 PM, "Michiel Beijen" <michiel.bei...@gmail.com> wrote: > Hi, > > This Saturday at FOSDEM in the hallway I had some discussions with > leont, Tux and later also with .. oh I guess that was RJBS? I did not > introduce myself, very bad. Hi! > > Basically I think the whole CPAN setup with 200+ mirrors sounded great > back in the 1990s and it is still widely touted as a feature of CPAN. > But I'm a bit concerned about package integrity. Most Linux > distributions (where the packages and ISOs are typically LOTS bigger) > who use mirrors have a system in place where they verify their > packages with GPG keys. If you do that then having many mirrors > outside of your control using plain HTTP is not a problem, but Perl > does not *really* have something like that. Yeah of course there is > the signatures list, which is GPG signed, but this signature is not > checked 'out of the box' as far as I know. > > So assuming you can't really verify the integrity of a module on a > mirror from the client, I think it would be best not to use any > mirrors. > As far as I know, with StrawberryPerl or a client like cpanm, you only > use one mirror anyway. Maybe the parties involved can share how much > bandwith it takes them to see if it would be feasible to switch to > *one* source for CPAN with possibly a CDN underneath. The metacpan > seems to have a decent CDN now, has SSL certificates and a complete > index. I think they should be able to handle the additional data, but > this is just based on my gut feeling of scale of the thing, average > dist size, and such and not on actual facts. > > The other problem is how to securely connect to the mirror. There is > no support for SSL in core perl. But I think in many cases, it would > be an acceptable solution to install IO::Socket::SSL from your linux > distro's distribution, and then have the CPAN client 'auto-select' the > https version of the cpan mirror. If desired the CPAN client could > complain about not having SSL when IO::Socket::SSL is not installed. > > Please let me know if this would be feasible and what your concerns would > be. > > I'd be willing to contribute patches to the cpanpm client to use HTTPS > if available, and to rip out the mirrorlist stuff. > -- > Michiel >
