Absolutely correct! I forgot about that; it is used for perl < 5.14 where there is no HTTP::Tiny or LWP in core. And yes, this would be the best way to go about this I think.
Can anyone fill in on the feasibility of directing all cpan cients to *one* site, i.e. https://cpan.metacpan.org/ ? -- Michiel Op woensdag 4 februari 2015 heeft Mike Doherty <m...@mikedoherty.ca> het volgende geschreven: > Doesn't cpan know how to use curl or wget if the system has it installed? > Probably easier to bootstrap TLS support in perl that way. > > -Mike > > On Feb 3, 2015 2:26 PM, "Michiel Beijen" <michiel.bei...@gmail.com> wrote: > >> Hi, >> >> This Saturday at FOSDEM in the hallway I had some discussions with >> leont, Tux and later also with .. oh I guess that was RJBS? I did not >> introduce myself, very bad. Hi! >> >> Basically I think the whole CPAN setup with 200+ mirrors sounded great >> back in the 1990s and it is still widely touted as a feature of CPAN. >> But I'm a bit concerned about package integrity. Most Linux >> distributions (where the packages and ISOs are typically LOTS bigger) >> who use mirrors have a system in place where they verify their >> packages with GPG keys. If you do that then having many mirrors >> outside of your control using plain HTTP is not a problem, but Perl >> does not *really* have something like that. Yeah of course there is >> the signatures list, which is GPG signed, but this signature is not >> checked 'out of the box' as far as I know. >> >> So assuming you can't really verify the integrity of a module on a >> mirror from the client, I think it would be best not to use any >> mirrors. >> As far as I know, with StrawberryPerl or a client like cpanm, you only >> use one mirror anyway. Maybe the parties involved can share how much >> bandwith it takes them to see if it would be feasible to switch to >> *one* source for CPAN with possibly a CDN underneath. The metacpan >> seems to have a decent CDN now, has SSL certificates and a complete >> index. I think they should be able to handle the additional data, but >> this is just based on my gut feeling of scale of the thing, average >> dist size, and such and not on actual facts. >> >> The other problem is how to securely connect to the mirror. There is >> no support for SSL in core perl. But I think in many cases, it would >> be an acceptable solution to install IO::Socket::SSL from your linux >> distro's distribution, and then have the CPAN client 'auto-select' the >> https version of the cpan mirror. If desired the CPAN client could >> complain about not having SSL when IO::Socket::SSL is not installed. >> >> Please let me know if this would be feasible and what your concerns would >> be. >> >> I'd be willing to contribute patches to the cpanpm client to use HTTPS >> if available, and to rip out the mirrorlist stuff. >> -- >> Michiel >> >
