Sadly I am coming to the same conclusion. As a development team we managed our own Perl on AIX/Unix. Upon our move to Red Hat GNU/Linux we looked forward to handing off that responsibility to the package manager (rpm via yum/dnf). After all our monthly patch cycles would pick up security items without us having to monitor and manage these on our own.

If the struggle continues without resolution I'll cycle back to give that consideration. However, that would be non-trivial undertaking as I would not only need to install all the required modules but I also need to interface with the system installed httpd (Apache) that is hosting Bugzilla.

I say "sadly" because I see see a lot of advantages in package management. But it only works if the OS vendor and sys-admin team avoid regressive steps.

I think the question you should be asking is:

How do I manage my non-OS perl installation (via perlbrew for example) with as little manual intervention as possible, as if I was updating it via my package manager?

Edit:

Sorry I missed this:

After all our monthly patch cycles would pick up security items withou
+t us having to monitor and manage these on our own.
[download]

CPAN may not be the best for security reviews of modules.

bw, bliako

> on our move to Red Hat GNU/Linux we looked forward to handing off that responsibility to the package manager (rpm via yum/dnf)
> ... our monthly patch cycles would pick up security items without us having to monitor and manage these on our own
>> ... CPAN may not be the best for security reviews of modules (bliako)

Good catch! The OP has been a bit vague about their Security Requirements.

Package Manager and CPAN Security

Package Manager and CPAN Security seems to be a difficult topic. Some references:

• cpan/cpanm integrity and authenticy checks concerns by hrcerq (Jul 2021) - my reply
• SOLVED: Key Not Certified in CPAN by dorko (Feb 2022) - and this reply
• CPAN clients exposed to sig-related vulnerabilities by hippo (Nov 2021)
• Re^4: pod2html: link (L<...>) formatting code (timeloop) by kcott (Dec 2021) - see responses from choroba
• Signature Verification Vulnerabilities in CPAN.pm, cpanminus and CPAN::Checksums - Hackeriet blog
• Addressing CPAN vulnerabilities related to checksums - blog by Neil Bowers
• package managers still vulnerable: how to protect your systems (2009)
• Attacks on package managers (2009)
• RPM Package Manager (wikipedia)
• Linux package management with YUM and RPM
• Web of trust (wikipedia)
• Pretty Good Privacy including OpenPGP (wikipedia)
• GNU Privacy Guard (wikipedia)
• The GNU Privacy Guard (gnupg.org - GnuPG)
• SHA-2 (wikipedia) - includes sha256 (used in the example below to check perl-5.38.0.tar.gz)
• CPAN.pm Security
• CPAN Security Group - a community effort for supporting and responding to security incidents on CPAN
• Re: Software Bill of Materials (SBOM) in Perl and CPAN by sjn (Salve J. Nilsen, prodded by Tux to reply) (Sep 2024)
• Crypt::OpenPGP
• Module::Signature - adds cryptographic authentications to CPAN distributions, via the special SIGNATURE file
• cpansign - CPAN signature management utility (part of Module::Signature)
• cpanp install, gpg: Can't check signature: No public key by QM (2012) - response by mikegold10 (2023)

Example: build perl v5.38 securely from source on Ubuntu

An example build and install of the latest perl v5.38.0 from source on my Ubuntu Linux VM using cpanm follows.

Do all steps below as non-root as a further precaution against accidentally mangling your system perl.

$ cd $HOME
$ mkdir localperl
$ cd localperl

$ wget https://www.cpan.org/src/5.0/perl-5.38.0.tar.gz
$ sha256sum perl-5.38.0.tar.gz
213ef58089d2f2c972ea353517dc60ec3656f050dcc027666e118b508423e517  perl
+-5.38.0.tar.gz
# (eyeball this to verify it matches the value displayed at:
#  https://www.cpan.org/src/5.0/perl-5.38.0.tar.gz.sha256.txt)

$ tar -xzf perl-5.38.0.tar.gz
$ cd perl-5.38.0
$ ./Configure -des -Dprefix=$HOME/localperl
$ make 2>&1 | tee make.tmp
$ make test 2>&1 | tee test.tmp
$ make install 2>&1 | tee install.tmp
$ type perl
perl is /usr/bin/perl
$ export PATH=$HOME/localperl/bin:$PATH
$ type perl
perl is $HOME/localperl/bin/perl
$ perl -v
This is perl 5, version 38, subversion 0 (v5.38.0) built for x86_64-li
+nux
...
[download]

Next install cpanm using the cpan command:

$ cpan App::cpanminus 2>&1 | tee inst-cpanminus.tmp
[download]

to install the cpanm executable to the perl's bin path (e.g. ~/perl5/perlbrew/bin/cpanm). In my example, that would be: $HOME/localperl/bin/cpanm (note: I switched from $HOME/localperl/bin to $HOME/my/p5380/bin after this node was written to conveniently have multiple versions of perl simultaneously installed to my $HOME directory).

(Update: while using the cpan command (as above) seems best, see Building Perl and CPAN Modules Securely from Source for alternative ways to install cpanm)

Then install Module::Signature from CPAN using the cpanm command:

$ corelist Module::Signature
Module::Signature was not in CORE (or so I think)
$ corelist Digest::SHA
Digest::SHA was first released with perl v5.9.3

$ cpanm --from https://www.cpan.org/ Module::Signature 2>&1 | tee Modu
+leSignature.tmp
--> Working on Module::Signature
Fetching https://www.cpan.org/authors/id/A/AU/AUDREYT/Module-Signature
+-0.88.tar.gz ... OK
Configuring Module-Signature-0.87 ... OK
==> Found dependencies: IPC::Run
--> Working on IPC::Run
Fetching https://www.cpan.org/authors/id/T/TO/TODDR/IPC-Run-20220807.0
+.tar.gz ... OK
Configuring IPC-Run-20220807.0 ... OK
Building and testing IPC-Run-20220807.0 ... OK
Successfully installed IPC-Run-20220807.0
Building and testing Module-Signature-0.87 ... OK
Successfully installed Module-Signature-0.87
2 distributions installed
[download]

With that done, an example installing the CPAN Roman module more securely via cpanm's --verify option:

$ cpanm --from https://www.cpan.org/ --verify Roman 2>&1 | tee Roman.t
+mp
--> Working on Roman
Fetching https://www.cpan.org/authors/id/C/CH/CHORNY/Roman-1.24.tar.gz
+ ... OK
Fetching https://www.cpan.org/authors/id/C/CH/CHORNY/CHECKSUMS ... OK
Configuring Roman-1.24 ... OK
Building and testing Roman-1.24 ... OK
Successfully installed Roman-1.24
1 distribution installed
[download]

Note that cpanm's --verify option verifies the integrity of distribution files retrieved from CPAN using CHECKSUMS file, and SIGNATURES file (if found in the distribution).

To uninstall Roman:

$ cpanm --uninstall Roman
Roman contains the following files:

  $HOME/localperl/lib/site_perl/5.38.0/Roman.pm
  $HOME/localperl/man/man3/Roman.3

Are you sure you want to uninstall Roman? [y] y

Unlink: $HOME/localperl/lib/site_perl/5.38.0/Roman.pm
Unlink: $HOME/localperl/man/man3/Roman.3
Unlink: $HOME/localperl/lib/site_perl/5.38.0/x86_64-linux/auto/Roman/.
+packlist

Successfully uninstalled Roman
[download]

After installation, ensure your local perl is ahead of system perl in your path by updating your .profile adding at the end:

# Use my locally built perl 5.38.0
PATH="$HOME/localperl/bin:$PATH"
[download]

Update: see also Re^2: THREE new perl releases [Updated releases!] - build perl v5.38.2 from source

Building Perl from Source References

• Perl Download (perl.org) - getting started quickly (notes the latest stable version)
• CPAN Perl source code (cpan.org) - how to build/install perl from source (notes the latest stable version)
• dev.perl.org - "News" link lists all Perl releases (e.g. perl-5.41.2 dev release which you can download from CPAN)
• How to install CPAN modules (cpan.org)
• A Guide to Installing Modules by tachyon (2001)
• Simple Module Tutorial by tachyon (2001)
• ExtUtils::MakeMaker::Tutorial
• ExtUtils::MakeMaker
• Dist::Zilla::Starter
• Packaging with Makefile.PL (perlmaven)
• cpan (cpan command)
• Config (perl Configuration information - the Config module contains all the information that was available to the Configure program at Perl build time)
• App::perlbrew (perlbrew command)
• App::cpanminus (cpanm command)
• CPANPLUS (cpanp command)
• local::lib
• Re: Promoting Text::CSV to base Perl? by Corion (2023)
• Detecting failures easily/obviously with cpanm by hippo (2022) - this reply mentions handy cpanm --installdeps option
• THREE new perl releases by Tux (2023) - multiple perl versions updated with important security updates
• Re^2: THREE new perl releases [Updated releases!] - build perl v5.38.2 from source by me (2023)
• Re: 5.40 released (perl new feature References) by me (2024)
• Building Perl and CPAN Modules Securely from Source by me (2024)
• How to CPAN dry run ? by mvanle (2024)
• Upgrading Perl codebase of older Perl version by programmingzeal (2024) - see response from ikegami

Package Manager References

• Software configuration management (wikipedia)
• Package manager (wikipedia)
• RPM Package Manager aka Red Hat Package Manager (wikipedia)
• yum (software) (wikipedia)
• Conda (package manager) (wikipedia)
• CPAN (wikipedia)
• What is the difference between cpan and cpanm? (SO) - cpanp is also mentioned
• Add a tool to local conda channel by baxy77bax (2023)
• perl script to conda package by jnarayan81 (2021)

See Also

• Re: Replicate Perl setup (Building and Installing Perl References) - search for perlbrew
• Re: Security techniques every programmer should know (Security References)

Updated: Added "Example: build perl v5.38 securely from source on Ubuntu" section (thanks hippo for motivating me :). Added sha256sum check of perl-5.38.0.tar.gz. Added more references. Added Package Manager References section.

> As a development team we managed our own Perl on AIX/Unix. Upon our move to Red Hat GNU/Linux...

Can you give us more background about your development team? Knowing that helps us provide more appropriate advice.

• Is this a team of system administrators or software developers or both?
• What programming language/s and tools does your team use?
• Is it an inhouse development team ... or does it provide services to external clients?
• Any Perl programmers in the team? :)